| {"text": "Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.", "spans": {"THREAT_ACTOR: Sowbug": [[0, 6]]}, "info": {"id": "mitre_is_0000", "source": "mitre_attack", "mitre_id": "G0054", "name": "Sowbug", "type": "intrusion-set"}} | |
| {"text": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.", "spans": {"THREAT_ACTOR: Winnti Group": [[0, 12], [309, 321]], "THREAT_ACTOR: Ke3chang": [[277, 285]], "THREAT_ACTOR: Axiom": [[259, 264]], "THREAT_ACTOR: APT17": [[266, 271]]}, "info": {"id": "mitre_is_0001", "source": "mitre_attack", "mitre_id": "G0044", "name": "Winnti Group", "type": "intrusion-set"}} | |
| {"text": "FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.", "spans": {"THREAT_ACTOR: FIN13": [[0, 5], [167, 172]]}, "info": {"id": "mitre_is_0002", "source": "mitre_attack", "mitre_id": "G1016", "name": "FIN13", "type": "intrusion-set"}} | |
| {"text": "Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.", "spans": {"ORGANIZATION: General Staff Main Intelligence Directorate": [[123, 166]], "MALWARE: WhisperGate": [[441, 452]], "THREAT_ACTOR: Ember Bear": [[0, 10], [220, 230], [416, 426], [548, 558]], "THREAT_ACTOR: Saint Bear": [[618, 628]], "ORGANIZATION: GRU": [[168, 171]]}, "info": {"id": "mitre_is_0003", "source": "mitre_attack", "mitre_id": "G1003", "name": "Ember Bear", "type": "intrusion-set"}} | |
| {"text": "OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.", "spans": {"THREAT_ACTOR: OilRig": [[0, 6]]}, "info": {"id": "mitre_is_0004", "source": "mitre_attack", "mitre_id": "G0049", "name": "OilRig", "type": "intrusion-set"}} | |
| {"text": "APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext and Banco de Chile ; some of their attacks have been destructive.\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.", "spans": {"ORGANIZATION: Reconnaissance General Bureau": [[131, 160]], "ORGANIZATION: Bank of Bangladesh": [[384, 402]], "ORGANIZATION: Banco de Chile": [[489, 503]], "THREAT_ACTOR: Lazarus Group": [[722, 735]], "ORGANIZATION: Bancomext": [[475, 484]], "TOOL: attrib": [[113, 119]], "THREAT_ACTOR: APT38": [[0, 5], [190, 195], [423, 428]], "ORGANIZATION: SWIFT": [[275, 280]]}, "info": {"id": "mitre_is_0005", "source": "mitre_attack", "mitre_id": "G0082", "name": "APT38", "type": "intrusion-set"}} | |
| {"text": "Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.", "spans": {"THREAT_ACTOR: Moonstone Sleet": [[0, 15], [277, 292]], "THREAT_ACTOR: Lazarus Group": [[212, 225]]}, "info": {"id": "mitre_is_0006", "source": "mitre_attack", "mitre_id": "G1036", "name": "Moonstone Sleet", "type": "intrusion-set"}} | |
| {"text": "Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.", "spans": {"ORGANIZATION: Federal Security Service": [[77, 101]], "MALWARE: Uroburos": [[429, 437]], "TOOL: attrib": [[54, 60]], "THREAT_ACTOR: Turla": [[0, 5], [305, 310]], "ORGANIZATION: FSB": [[103, 106]]}, "info": {"id": "mitre_is_0007", "source": "mitre_attack", "mitre_id": "G0010", "name": "Turla", "type": "intrusion-set"}} | |
| {"text": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.", "spans": {"THREAT_ACTOR: Strider": [[0, 7]]}, "info": {"id": "mitre_is_0008", "source": "mitre_attack", "mitre_id": "G0041", "name": "Strider", "type": "intrusion-set"}} | |
| {"text": "Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.", "spans": {"THREAT_ACTOR: Gorgon Group": [[0, 12]]}, "info": {"id": "mitre_is_0009", "source": "mitre_attack", "mitre_id": "G0078", "name": "Gorgon Group", "type": "intrusion-set"}} | |
| {"text": "Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake \"help desk\" interaction leading to the deployment of adversary tools and capabilities.", "spans": {"MALWARE: Black Basta": [[55, 66]], "THREAT_ACTOR: Storm-1811": [[0, 10], [90, 100]]}, "info": {"id": "mitre_is_0010", "source": "mitre_attack", "mitre_id": "G1046", "name": "Storm-1811", "type": "intrusion-set"}} | |
| {"text": "Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.", "spans": {"THREAT_ACTOR: Confucius": [[0, 9], [248, 257]], "THREAT_ACTOR: Patchwork": [[262, 271]]}, "info": {"id": "mitre_is_0011", "source": "mitre_attack", "mitre_id": "G0142", "name": "Confucius", "type": "intrusion-set"}} | |
| {"text": "Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.", "spans": {"THREAT_ACTOR: Winnti Group": [[221, 233]], "THREAT_ACTOR: Axiom": [[0, 5], [211, 216]]}, "info": {"id": "mitre_is_0012", "source": "mitre_attack", "mitre_id": "G0001", "name": "Axiom", "type": "intrusion-set"}} | |
| {"text": "APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.", "spans": {"THREAT_ACTOR: Deep Panda": [[320, 330]], "THREAT_ACTOR: APT19": [[0, 5], [310, 315]]}, "info": {"id": "mitre_is_0013", "source": "mitre_attack", "mitre_id": "G0073", "name": "APT19", "type": "intrusion-set"}} | |
| {"text": "FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.", "spans": {"THREAT_ACTOR: FIN8": [[0, 4], [276, 280]]}, "info": {"id": "mitre_is_0014", "source": "mitre_attack", "mitre_id": "G0061", "name": "FIN8", "type": "intrusion-set"}} | |
| {"text": "GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.", "spans": {"THREAT_ACTOR: GOLD SOUTHFIELD": [[0, 15], [139, 154], [287, 302]], "MALWARE: REvil": [[101, 106]]}, "info": {"id": "mitre_is_0015", "source": "mitre_attack", "mitre_id": "G0115", "name": "GOLD SOUTHFIELD", "type": "intrusion-set"}} | |
| {"text": "Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.\n\nEarth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.", "spans": {"THREAT_ACTOR: Winnti Group": [[748, 760]], "THREAT_ACTOR: Earth Lusca": [[0, 11], [109, 120], [595, 606], [649, 660], [806, 817]], "THREAT_ACTOR: APT41": [[734, 739]]}, "info": {"id": "mitre_is_0016", "source": "mitre_attack", "mitre_id": "G1006", "name": "Earth Lusca", "type": "intrusion-set"}} | |
| {"text": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", "spans": {"THREAT_ACTOR: Poseidon Group": [[0, 14], [216, 230]]}, "info": {"id": "mitre_is_0017", "source": "mitre_attack", "mitre_id": "G0033", "name": "Poseidon Group", "type": "intrusion-set"}} | |
| {"text": "Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.", "spans": {"ORGANIZATION: Federal Security Service": [[74, 98]], "THREAT_ACTOR: Dragonfly": [[0, 9], [144, 153]], "TOOL: attrib": [[51, 57]], "ORGANIZATION: FSB": [[100, 103]]}, "info": {"id": "mitre_is_0018", "source": "mitre_attack", "mitre_id": "G0035", "name": "Dragonfly", "type": "intrusion-set"}} | |
| {"text": "Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN). \n\nWhile Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", "spans": {"ORGANIZATION: United Nations": [[422, 436]], "THREAT_ACTOR: Naikon": [[0, 6], [255, 261], [530, 536]], "TOOL: attrib": [[65, 71]], "THREAT_ACTOR: APT30": [[570, 575]]}, "info": {"id": "mitre_is_0019", "source": "mitre_attack", "mitre_id": "G0019", "name": "Naikon", "type": "intrusion-set"}} | |
| {"text": "APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.", "spans": {"THREAT_ACTOR: Lazarus Group": [[658, 671]], "THREAT_ACTOR: APT37": [[0, 5], [271, 276]]}, "info": {"id": "mitre_is_0020", "source": "mitre_attack", "mitre_id": "G0067", "name": "APT37", "type": "intrusion-set"}} | |
| {"text": "Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.", "spans": {"THREAT_ACTOR: Fox Kitten": [[0, 10], [206, 216]]}, "info": {"id": "mitre_is_0021", "source": "mitre_attack", "mitre_id": "G0117", "name": "Fox Kitten", "type": "intrusion-set"}} | |
| {"text": "ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.", "spans": {"THREAT_ACTOR: ZIRCONIUM": [[0, 9]]}, "info": {"id": "mitre_is_0022", "source": "mitre_attack", "mitre_id": "G0128", "name": "ZIRCONIUM", "type": "intrusion-set"}} | |
| {"text": "Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.", "spans": {"THREAT_ACTOR: Mustard Tempest": [[0, 15], [119, 134]], "THREAT_ACTOR: Indrik Spider": [[154, 167]], "MALWARE: WastedLocker": [[244, 256]], "MALWARE: SocGholish": [[66, 76]]}, "info": {"id": "mitre_is_0023", "source": "mitre_attack", "mitre_id": "G1020", "name": "Mustard Tempest", "type": "intrusion-set"}} | |
| {"text": "Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.", "spans": {"THREAT_ACTOR: Molerats": [[0, 8]]}, "info": {"id": "mitre_is_0024", "source": "mitre_attack", "mitre_id": "G0021", "name": "Molerats", "type": "intrusion-set"}} | |
| {"text": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "spans": {"THREAT_ACTOR: FIN4": [[0, 4], [213, 217]]}, "info": {"id": "mitre_is_0025", "source": "mitre_attack", "mitre_id": "G0085", "name": "FIN4", "type": "intrusion-set"}} | |
| {"text": "Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).", "spans": {"THREAT_ACTOR: Agrius": [[0, 6], [193, 199]]}, "info": {"id": "mitre_is_0026", "source": "mitre_attack", "mitre_id": "G1030", "name": "Agrius", "type": "intrusion-set"}} | |
| {"text": "FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.", "spans": {"MALWARE: Carbanak": [[630, 638], [698, 706]], "MALWARE: REvil": [[531, 536]], "THREAT_ACTOR: FIN7": [[0, 4], [78, 82], [328, 332], [463, 467], [604, 608]]}, "info": {"id": "mitre_is_0027", "source": "mitre_attack", "mitre_id": "G0046", "name": "FIN7", "type": "intrusion-set"}} | |
| {"text": "Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.", "spans": {"THREAT_ACTOR: Cobalt Group": [[0, 12], [254, 266], [616, 628]], "MALWARE: Carbanak": [[650, 658], [673, 681]], "ORGANIZATION: SWIFT": [[239, 244]]}, "info": {"id": "mitre_is_0028", "source": "mitre_attack", "mitre_id": "G0080", "name": "Cobalt Group", "type": "intrusion-set"}} | |
| {"text": "TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.", "spans": {"THREAT_ACTOR: TeamTNT": [[0, 7]]}, "info": {"id": "mitre_is_0029", "source": "mitre_attack", "mitre_id": "G0139", "name": "TeamTNT", "type": "intrusion-set"}} | |
| {"text": "Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.", "spans": {"MALWARE: Playcrypt": [[78, 87]], "MALWARE: Play": [[0, 4], [233, 237]]}, "info": {"id": "mitre_is_0030", "source": "mitre_attack", "mitre_id": "G1040", "name": "Play", "type": "intrusion-set"}} | |
| {"text": "APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.", "spans": {"THREAT_ACTOR: APT5": [[0, 4], [196, 200]]}, "info": {"id": "mitre_is_0031", "source": "mitre_attack", "mitre_id": "G1023", "name": "APT5", "type": "intrusion-set"}} | |
| {"text": "Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.", "spans": {"THREAT_ACTOR: Whitefly": [[0, 8]]}, "info": {"id": "mitre_is_0032", "source": "mitre_attack", "mitre_id": "G0107", "name": "Whitefly", "type": "intrusion-set"}} | |
| {"text": "APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.", "spans": {"THREAT_ACTOR: APT39": [[0, 5], [204, 209]]}, "info": {"id": "mitre_is_0033", "source": "mitre_attack", "mitre_id": "G0087", "name": "APT39", "type": "intrusion-set"}} | |
| {"text": "APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.", "spans": {"THREAT_ACTOR: APT32": [[0, 5]]}, "info": {"id": "mitre_is_0034", "source": "mitre_attack", "mitre_id": "G0050", "name": "APT32", "type": "intrusion-set"}} | |
| {"text": "INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.", "spans": {"MALWARE: INC Ransomware": [[93, 107]], "THREAT_ACTOR: INC Ransom": [[0, 10], [155, 165]]}, "info": {"id": "mitre_is_0035", "source": "mitre_attack", "mitre_id": "G1032", "name": "INC Ransom", "type": "intrusion-set"}} | |
| {"text": "Suckfly is a China-based threat group that has been active since at least 2014.", "spans": {"THREAT_ACTOR: Suckfly": [[0, 7]]}, "info": {"id": "mitre_is_0036", "source": "mitre_attack", "mitre_id": "G0039", "name": "Suckfly", "type": "intrusion-set"}} | |
| {"text": "CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.", "spans": {"THREAT_ACTOR: CURIUM": [[0, 6], [156, 162], [356, 362]]}, "info": {"id": "mitre_is_0037", "source": "mitre_attack", "mitre_id": "G1012", "name": "CURIUM", "type": "intrusion-set"}} | |
| {"text": "Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.", "spans": {"THREAT_ACTOR: Star Blizzard": [[0, 13], [119, 132]], "ORGANIZATION: NATO": [[321, 325]]}, "info": {"id": "mitre_is_0038", "source": "mitre_attack", "mitre_id": "G1033", "name": "Star Blizzard", "type": "intrusion-set"}} | |
| {"text": "Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.", "spans": {"THREAT_ACTOR: Dark Caracal": [[0, 12]], "TOOL: attrib": [[43, 49]]}, "info": {"id": "mitre_is_0039", "source": "mitre_attack", "mitre_id": "G0070", "name": "Dark Caracal", "type": "intrusion-set"}} | |
| {"text": "Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.", "spans": {"THREAT_ACTOR: Chimera": [[0, 7]]}, "info": {"id": "mitre_is_0040", "source": "mitre_attack", "mitre_id": "G0114", "name": "Chimera", "type": "intrusion-set"}} | |
| {"text": "Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.", "spans": {"THREAT_ACTOR: Wizard Spider": [[0, 13], [149, 162]], "MALWARE: TrickBot": [[119, 127]]}, "info": {"id": "mitre_is_0041", "source": "mitre_attack", "mitre_id": "G0102", "name": "Wizard Spider", "type": "intrusion-set"}} | |
| {"text": "Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.", "spans": {"MALWARE: Machete": [[0, 7], [262, 269]]}, "info": {"id": "mitre_is_0042", "source": "mitre_attack", "mitre_id": "G0095", "name": "Machete", "type": "intrusion-set"}} | |
| {"text": "Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).", "spans": {"THREAT_ACTOR: Tonto Team": [[0, 10], [273, 283]]}, "info": {"id": "mitre_is_0043", "source": "mitre_attack", "mitre_id": "G0131", "name": "Tonto Team", "type": "intrusion-set"}} | |
| {"text": "LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.", "spans": {"THREAT_ACTOR: LAPSUS$": [[0, 7], [85, 92]]}, "info": {"id": "mitre_is_0044", "source": "mitre_attack", "mitre_id": "G1004", "name": "LAPSUS$", "type": "intrusion-set"}} | |
| {"text": "PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.", "spans": {"THREAT_ACTOR: PLATINUM": [[0, 8]]}, "info": {"id": "mitre_is_0045", "source": "mitre_attack", "mitre_id": "G0068", "name": "PLATINUM", "type": "intrusion-set"}} | |
| {"text": "TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee.", "spans": {"MALWARE: Latrodectus": [[138, 149]], "MALWARE: Bumblebee": [[163, 172]], "MALWARE: IcedID": [[151, 157]], "THREAT_ACTOR: TA578": [[0, 5]]}, "info": {"id": "mitre_is_0046", "source": "mitre_attack", "mitre_id": "G1038", "name": "TA578", "type": "intrusion-set"}} | |
| {"text": "Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing. Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions.\n\nKimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).\n\nIn 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.", "spans": {"ORGANIZATION: United Nations": [[256, 270]], "THREAT_ACTOR: Lazarus Group": [[811, 824]], "THREAT_ACTOR: Kimsuky": [[0, 7], [417, 424], [899, 906], [1134, 1141]], "MALWARE: Kaba": [[1069, 1073]]}, "info": {"id": "mitre_is_0047", "source": "mitre_attack", "mitre_id": "G0094", "name": "Kimsuky", "type": "intrusion-set"}} | |
| {"text": "Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.", "spans": {"MALWARE: LockBit 3.0": [[329, 340]], "THREAT_ACTOR: Storm-0501": [[0, 10], [135, 145]], "MALWARE: BlackCat": [[296, 304]], "MALWARE: Embargo": [[346, 353]]}, "info": {"id": "mitre_is_0048", "source": "mitre_attack", "mitre_id": "G1053", "name": "Storm-0501", "type": "intrusion-set"}} | |
| {"text": "Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.", "spans": {"THREAT_ACTOR: Higaisa": [[0, 7], [66, 73], [243, 250]]}, "info": {"id": "mitre_is_0049", "source": "mitre_attack", "mitre_id": "G0126", "name": "Higaisa", "type": "intrusion-set"}} | |
| {"text": "Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.", "spans": {"THREAT_ACTOR: Ferocious Kitten": [[0, 16]]}, "info": {"id": "mitre_is_0050", "source": "mitre_attack", "mitre_id": "G0137", "name": "Ferocious Kitten", "type": "intrusion-set"}} | |
| {"text": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.", "spans": {"THREAT_ACTOR: FIN6": [[0, 4]]}, "info": {"id": "mitre_is_0051", "source": "mitre_attack", "mitre_id": "G0037", "name": "FIN6", "type": "intrusion-set"}} | |
| {"text": "SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.", "spans": {"THREAT_ACTOR: Sidewinder": [[235, 245]], "THREAT_ACTOR: SideCopy": [[0, 8], [160, 168]]}, "info": {"id": "mitre_is_0052", "source": "mitre_attack", "mitre_id": "G1008", "name": "SideCopy", "type": "intrusion-set"}} | |
| {"text": "APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.\n\nAPT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.", "spans": {"ORGANIZATION: General Staff Main Intelligence Directorate": [[61, 104]], "THREAT_ACTOR: Sandworm Team": [[925, 938]], "TOOL: attrib": [[38, 44]], "THREAT_ACTOR: APT28": [[0, 5], [222, 227], [510, 515]], "ORGANIZATION: GRU": [[106, 109], [470, 473], [880, 883]]}, "info": {"id": "mitre_is_0053", "source": "mitre_attack", "mitre_id": "G0007", "name": "APT28", "type": "intrusion-set"}} | |
| {"text": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.", "spans": {"THREAT_ACTOR: Threat Group-1314": [[0, 17]], "TOOL: attrib": [[26, 32]]}, "info": {"id": "mitre_is_0054", "source": "mitre_attack", "mitre_id": "G0028", "name": "Threat Group-1314", "type": "intrusion-set"}} | |
| {"text": "Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities.", "spans": {"THREAT_ACTOR: Contagious Interview": [[0, 20], [215, 235]], "SYSTEM: Windows": [[244, 251]], "SYSTEM: macOS": [[264, 269]], "SYSTEM: Linux": [[253, 258]]}, "info": {"id": "mitre_is_0055", "source": "mitre_attack", "mitre_id": "G1052", "name": "Contagious Interview", "type": "intrusion-set"}} | |
| {"text": "Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).", "spans": {"THREAT_ACTOR: Malteiro": [[0, 8], [244, 252]], "MALWARE: Mispadu": [[171, 178]]}, "info": {"id": "mitre_is_0056", "source": "mitre_attack", "mitre_id": "G1026", "name": "Malteiro", "type": "intrusion-set"}} | |
| {"text": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to Deep Panda. This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same.", "spans": {"THREAT_ACTOR: KungFu Kittens": [[278, 292]], "THREAT_ACTOR: PinkPanther": [[298, 309]], "THREAT_ACTOR: Deep Panda": [[0, 10], [214, 224], [311, 321], [451, 461]], "THREAT_ACTOR: Shell Crew": [[254, 264]], "THREAT_ACTOR: WebMasters": [[266, 276]], "THREAT_ACTOR: Black Vine": [[350, 360]], "TOOL: attrib": [[200, 206], [374, 380]], "THREAT_ACTOR: APT19": [[466, 471]]}, "info": {"id": "mitre_is_0057", "source": "mitre_attack", "mitre_id": "G0009", "name": "Deep Panda", "type": "intrusion-set"}} | |
| {"text": "Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.", "spans": {"THREAT_ACTOR: Silence": [[0, 7]]}, "info": {"id": "mitre_is_0058", "source": "mitre_attack", "mitre_id": "G0091", "name": "Silence", "type": "intrusion-set"}} | |
| {"text": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.", "spans": {"THREAT_ACTOR: APT18": [[0, 5]]}, "info": {"id": "mitre_is_0059", "source": "mitre_attack", "mitre_id": "G0026", "name": "APT18", "type": "intrusion-set"}} | |
| {"text": "IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.", "spans": {"THREAT_ACTOR: IndigoZebra": [[0, 11]]}, "info": {"id": "mitre_is_0060", "source": "mitre_attack", "mitre_id": "G0136", "name": "IndigoZebra", "type": "intrusion-set"}} | |
| {"text": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.", "spans": {"THREAT_ACTOR: APT17": [[0, 5]]}, "info": {"id": "mitre_is_0061", "source": "mitre_attack", "mitre_id": "G0025", "name": "APT17", "type": "intrusion-set"}} | |
| {"text": "Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.", "spans": {"ORGANIZATION: General Staff Main Intelligence Directorate": [[81, 124]], "MALWARE: Olympic Destroyer": [[565, 582]], "THREAT_ACTOR: Sandworm Team": [[0, 13], [323, 336]], "MALWARE: NotPetya": [[487, 495]], "TOOL: attrib": [[58, 64]], "THREAT_ACTOR: APT28": [[867, 872]], "ORGANIZATION: GRU": [[126, 129], [283, 286], [822, 825]]}, "info": {"id": "mitre_is_0062", "source": "mitre_attack", "mitre_id": "G0034", "name": "Sandworm Team", "type": "intrusion-set"}} | |
| {"text": "Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.", "spans": {"THREAT_ACTOR: Aoqin Dragon": [[0, 12], [107, 119], [320, 332]]}, "info": {"id": "mitre_is_0063", "source": "mitre_attack", "mitre_id": "G1007", "name": "Aoqin Dragon", "type": "intrusion-set"}} | |
| {"text": "LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.", "spans": {"THREAT_ACTOR: LazyScripter": [[0, 12]]}, "info": {"id": "mitre_is_0064", "source": "mitre_attack", "mitre_id": "G0140", "name": "LazyScripter", "type": "intrusion-set"}} | |
| {"text": "Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.", "spans": {"THREAT_ACTOR: Leafminer": [[0, 9]]}, "info": {"id": "mitre_is_0065", "source": "mitre_attack", "mitre_id": "G0077", "name": "Leafminer", "type": "intrusion-set"}} | |
| {"text": "Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.", "spans": {"THREAT_ACTOR: Windshift": [[0, 9]]}, "info": {"id": "mitre_is_0066", "source": "mitre_attack", "mitre_id": "G0112", "name": "Windshift", "type": "intrusion-set"}} | |
| {"text": "Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.", "spans": {"THREAT_ACTOR: Tropic Trooper": [[0, 14], [138, 152]]}, "info": {"id": "mitre_is_0067", "source": "mitre_attack", "mitre_id": "G0081", "name": "Tropic Trooper", "type": "intrusion-set"}} | |
| {"text": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "spans": {"THREAT_ACTOR: Ajax Security Team": [[0, 18], [121, 139]]}, "info": {"id": "mitre_is_0068", "source": "mitre_attack", "mitre_id": "G0130", "name": "Ajax Security Team", "type": "intrusion-set"}} | |
| {"text": "Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.", "spans": {"THREAT_ACTOR: Sidewinder": [[0, 10]]}, "info": {"id": "mitre_is_0069", "source": "mitre_attack", "mitre_id": "G0121", "name": "Sidewinder", "type": "intrusion-set"}} | |
| {"text": "Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. \nScattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. \nScattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365.", "spans": {"THREAT_ACTOR: Scattered Spider": [[0, 16], [391, 407], [727, 743]]}, "info": {"id": "mitre_is_0070", "source": "mitre_attack", "mitre_id": "G1015", "name": "Scattered Spider", "type": "intrusion-set"}} | |
| {"text": "Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.", "spans": {"THREAT_ACTOR: Indrik Spider": [[0, 13], [94, 107], [321, 334]], "MALWARE: WastedLocker": [[233, 245]], "MALWARE: BitPaymer": [[222, 231]], "MALWARE: Dridex": [[135, 141]]}, "info": {"id": "mitre_is_0071", "source": "mitre_attack", "mitre_id": "G0119", "name": "Indrik Spider", "type": "intrusion-set"}} | |
| {"text": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.", "spans": {"THREAT_ACTOR: PittyTiger": [[0, 10]]}, "info": {"id": "mitre_is_0072", "source": "mitre_attack", "mitre_id": "G0011", "name": "PittyTiger", "type": "intrusion-set"}} | |
| {"text": "Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities. Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.", "spans": {"THREAT_ACTOR: Ember Bear": [[443, 453]], "THREAT_ACTOR: Saint Bear": [[0, 10], [236, 246], [398, 408]], "MALWARE: Saint Bot": [[177, 186]], "MALWARE: OutSteel": [[213, 221]]}, "info": {"id": "mitre_is_0073", "source": "mitre_attack", "mitre_id": "G1031", "name": "Saint Bear", "type": "intrusion-set"}} | |
| {"text": "Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand. \n\nSecurity researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.", "spans": {"THREAT_ACTOR: Moses Staff": [[0, 11], [125, 136], [343, 354]]}, "info": {"id": "mitre_is_0074", "source": "mitre_attack", "mitre_id": "G1009", "name": "Moses Staff", "type": "intrusion-set"}} | |
| {"text": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.", "spans": {"THREAT_ACTOR: Threat Group-3390": [[0, 17]]}, "info": {"id": "mitre_is_0075", "source": "mitre_attack", "mitre_id": "G0027", "name": "Threat Group-3390", "type": "intrusion-set"}} | |
| {"text": "Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.", "spans": {"THREAT_ACTOR: Gallmaker": [[0, 9]]}, "info": {"id": "mitre_is_0076", "source": "mitre_attack", "mitre_id": "G0084", "name": "Gallmaker", "type": "intrusion-set"}} | |
| {"text": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).", "spans": {"THREAT_ACTOR: Threat Group 2889": [[192, 209]], "THREAT_ACTOR: Cleaver": [[0, 7], [122, 129], [171, 178]], "THREAT_ACTOR: TG-2889": [[211, 218]], "TOOL: attrib": [[40, 46]]}, "info": {"id": "mitre_is_0077", "source": "mitre_attack", "mitre_id": "G0003", "name": "Cleaver", "type": "intrusion-set"}} | |
| {"text": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", "spans": {"THREAT_ACTOR: GCMAN": [[0, 5]]}, "info": {"id": "mitre_is_0078", "source": "mitre_attack", "mitre_id": "G0036", "name": "GCMAN", "type": "intrusion-set"}} | |
| {"text": "Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally.", "spans": {"THREAT_ACTOR: Medusa Group": [[0, 12], [367, 379], [710, 722]]}, "info": {"id": "mitre_is_0079", "source": "mitre_attack", "mitre_id": "G1051", "name": "Medusa Group", "type": "intrusion-set"}} | |
| {"text": "RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. RedCurl is allegedly a Russian-speaking threat actor. The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.", "spans": {"THREAT_ACTOR: RedCurl": [[0, 7], [267, 274]]}, "info": {"id": "mitre_is_0080", "source": "mitre_attack", "mitre_id": "G1039", "name": "RedCurl", "type": "intrusion-set"}} | |
| {"text": "Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.", "spans": {"THREAT_ACTOR: Ke3chang": [[0, 8], [72, 80]], "TOOL: attrib": [[27, 33]]}, "info": {"id": "mitre_is_0081", "source": "mitre_attack", "mitre_id": "G0004", "name": "Ke3chang", "type": "intrusion-set"}} | |
| {"text": "LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.", "spans": {"THREAT_ACTOR: Mustang Panda": [[354, 367]], "THREAT_ACTOR: LuminousMoth": [[0, 12], [107, 119], [337, 349]]}, "info": {"id": "mitre_is_0082", "source": "mitre_attack", "mitre_id": "G1014", "name": "LuminousMoth", "type": "intrusion-set"}} | |
| {"text": "Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.", "spans": {"THREAT_ACTOR: Orangeworm": [[0, 10], [244, 254]], "MALWARE: Kwampirs": [[209, 217]], "MALWARE: Shamoon": [[328, 335]]}, "info": {"id": "mitre_is_0083", "source": "mitre_attack", "mitre_id": "G0071", "name": "Orangeworm", "type": "intrusion-set"}} | |
| {"text": "ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.", "spans": {"THREAT_ACTOR: ToddyCat": [[0, 8]]}, "info": {"id": "mitre_is_0084", "source": "mitre_attack", "mitre_id": "G1022", "name": "ToddyCat", "type": "intrusion-set"}} | |
| {"text": "TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.", "spans": {"THREAT_ACTOR: TA2541": [[0, 6], [156, 162]]}, "info": {"id": "mitre_is_0085", "source": "mitre_attack", "mitre_id": "G1018", "name": "TA2541", "type": "intrusion-set"}} | |
| {"text": "DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.", "spans": {"THREAT_ACTOR: DarkVishnya": [[0, 11]]}, "info": {"id": "mitre_is_0086", "source": "mitre_attack", "mitre_id": "G0105", "name": "DarkVishnya", "type": "intrusion-set"}} | |
| {"text": "POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.", "spans": {"THREAT_ACTOR: POLONIUM": [[0, 8], [233, 241]]}, "info": {"id": "mitre_is_0087", "source": "mitre_attack", "mitre_id": "G1005", "name": "POLONIUM", "type": "intrusion-set"}} | |
| {"text": "HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.", "spans": {"THREAT_ACTOR: HAFNIUM": [[0, 7], [131, 138], [348, 355]]}, "info": {"id": "mitre_is_0088", "source": "mitre_attack", "mitre_id": "G0125", "name": "HAFNIUM", "type": "intrusion-set"}} | |
| {"text": "BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.", "spans": {"THREAT_ACTOR: BackdoorDiplomacy": [[0, 17], [94, 111]]}, "info": {"id": "mitre_is_0089", "source": "mitre_attack", "mitre_id": "G0135", "name": "BackdoorDiplomacy", "type": "intrusion-set"}} | |
| {"text": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).", "spans": {"THREAT_ACTOR: Putter Panda": [[0, 12]], "TOOL: attrib": [[53, 59]]}, "info": {"id": "mitre_is_0090", "source": "mitre_attack", "mitre_id": "G0024", "name": "Putter Panda", "type": "intrusion-set"}} | |
| {"text": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK.", "spans": {"THREAT_ACTOR: DragonOK": [[225, 233]], "THREAT_ACTOR: Moafee": [[0, 6], [143, 149]]}, "info": {"id": "mitre_is_0091", "source": "mitre_attack", "mitre_id": "G0002", "name": "Moafee", "type": "intrusion-set"}} | |
| {"text": "BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.", "spans": {"THREAT_ACTOR: BITTER": [[0, 6], [105, 111]]}, "info": {"id": "mitre_is_0092", "source": "mitre_attack", "mitre_id": "G1002", "name": "BITTER", "type": "intrusion-set"}} | |
| {"text": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.", "spans": {"THREAT_ACTOR: Stealth Falcon": [[0, 14]]}, "info": {"id": "mitre_is_0093", "source": "mitre_attack", "mitre_id": "G0038", "name": "Stealth Falcon", "type": "intrusion-set"}} | |
| {"text": "Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.", "spans": {"THREAT_ACTOR: Volatile Cedar": [[0, 14], [112, 126]]}, "info": {"id": "mitre_is_0094", "source": "mitre_attack", "mitre_id": "G0123", "name": "Volatile Cedar", "type": "intrusion-set"}} | |
| {"text": "APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.", "spans": {"THREAT_ACTOR: Winnti Group": [[550, 562]], "THREAT_ACTOR: BARIUM": [[539, 545]], "THREAT_ACTOR: APT41": [[0, 5], [179, 184], [463, 468]]}, "info": {"id": "mitre_is_0095", "source": "mitre_attack", "mitre_id": "G0096", "name": "APT41", "type": "intrusion-set"}} | |
| {"text": "Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.", "spans": {"THREAT_ACTOR: Volt Typhoon": [[0, 12], [218, 230], [419, 431]]}, "info": {"id": "mitre_is_0096", "source": "mitre_attack", "mitre_id": "G1017", "name": "Volt Typhoon", "type": "intrusion-set"}} | |
| {"text": "RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.", "spans": {"MALWARE: ShadowPad": [[239, 248]], "THREAT_ACTOR: RedEcho": [[0, 7], [145, 152]], "THREAT_ACTOR: APT41": [[215, 220]]}, "info": {"id": "mitre_is_0097", "source": "mitre_attack", "mitre_id": "G1042", "name": "RedEcho", "type": "intrusion-set"}} | |
| {"text": "Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.", "spans": {"THREAT_ACTOR: Inception": [[0, 9]]}, "info": {"id": "mitre_is_0098", "source": "mitre_attack", "mitre_id": "G0100", "name": "Inception", "type": "intrusion-set"}} | |
| {"text": "Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents.", "spans": {"THREAT_ACTOR: Rancor": [[0, 6], [93, 99]]}, "info": {"id": "mitre_is_0099", "source": "mitre_attack", "mitre_id": "G0075", "name": "Rancor", "type": "intrusion-set"}} | |
| {"text": "Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.", "spans": {"ORGANIZATION: Ministry of State Security": [[93, 119]], "THREAT_ACTOR: Leviathan": [[0, 9], [222, 231]], "TOOL: attrib": [[75, 81]]}, "info": {"id": "mitre_is_0100", "source": "mitre_attack", "mitre_id": "G0065", "name": "Leviathan", "type": "intrusion-set"}} | |
| {"text": "Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.", "spans": {"THREAT_ACTOR: Mofang": [[0, 6]]}, "info": {"id": "mitre_is_0101", "source": "mitre_attack", "mitre_id": "G0103", "name": "Mofang", "type": "intrusion-set"}} | |
| {"text": "Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.", "spans": {"THREAT_ACTOR: Patchwork": [[0, 9], [214, 223], [384, 393]], "TOOL: attrib": [[121, 127]]}, "info": {"id": "mitre_is_0102", "source": "mitre_attack", "mitre_id": "G0040", "name": "Patchwork", "type": "intrusion-set"}} | |
| {"text": "HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.", "spans": {"THREAT_ACTOR: OilRig": [[337, 343]], "THREAT_ACTOR: HEXANE": [[0, 6], [295, 301]], "THREAT_ACTOR: APT33": [[327, 332]]}, "info": {"id": "mitre_is_0103", "source": "mitre_attack", "mitre_id": "G1001", "name": "HEXANE", "type": "intrusion-set"}} | |
| {"text": "Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.\n\nAndariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.", "spans": {"ORGANIZATION: Reconnaissance General Bureau": [[585, 614]], "THREAT_ACTOR: Lazarus Group": [[529, 542], [787, 800]], "THREAT_ACTOR: Andariel": [[0, 8], [98, 106], [392, 400], [493, 501]], "TOOL: attrib": [[557, 563]]}, "info": {"id": "mitre_is_0104", "source": "mitre_attack", "mitre_id": "G0138", "name": "Andariel", "type": "intrusion-set"}} | |
| {"text": "APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices. Finally, APT42 exfiltrates data using native features and open-source tools. \n\nAPT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.", "spans": {"THREAT_ACTOR: Magic Hound": [[528, 539], [624, 635]], "SYSTEM: Android": [[314, 321]], "THREAT_ACTOR: APT42": [[0, 5], [233, 238], [421, 426], [491, 496], [640, 645]]}, "info": {"id": "mitre_is_0105", "source": "mitre_attack", "mitre_id": "G1044", "name": "APT42", "type": "intrusion-set"}} | |
| {"text": "UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.", "spans": {"THREAT_ACTOR: UNC3886": [[0, 7], [226, 233]]}, "info": {"id": "mitre_is_0106", "source": "mitre_attack", "mitre_id": "G1048", "name": "UNC3886", "type": "intrusion-set"}} | |
| {"text": "AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella. The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack. The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.", "spans": {"ORGANIZATION: Reconnaissance General Bureau": [[75, 104]], "THREAT_ACTOR: Lazarus Group": [[134, 147]], "MALWARE: AppleJeus": [[0, 9], [168, 177], [434, 443]], "TOOL: attrib": [[57, 63]]}, "info": {"id": "mitre_is_0107", "source": "mitre_attack", "mitre_id": "G1049", "name": "AppleJeus", "type": "intrusion-set"}} | |
| {"text": "PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.", "spans": {"THREAT_ACTOR: PROMETHIUM": [[0, 10], [181, 191]], "THREAT_ACTOR: NEODYMIUM": [[253, 262]]}, "info": {"id": "mitre_is_0108", "source": "mitre_attack", "mitre_id": "G0056", "name": "PROMETHIUM", "type": "intrusion-set"}} | |
| {"text": "BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.", "spans": {"MALWARE: BlackByte 2.0 Ransomware": [[323, 347]], "MALWARE: BlackByte Ransomware": [[143, 163]], "THREAT_ACTOR: BlackByte": [[0, 9], [70, 79], [165, 174], [387, 396]]}, "info": {"id": "mitre_is_0109", "source": "mitre_attack", "mitre_id": "G1043", "name": "BlackByte", "type": "intrusion-set"}} | |
| {"text": "TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.", "spans": {"THREAT_ACTOR: TA459": [[0, 5]]}, "info": {"id": "mitre_is_0110", "source": "mitre_attack", "mitre_id": "G0062", "name": "TA459", "type": "intrusion-set"}} | |
| {"text": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", "spans": {"THREAT_ACTOR: admin@338": [[0, 9]], "MALWARE: PoisonIvy": [[256, 265]]}, "info": {"id": "mitre_is_0111", "source": "mitre_attack", "mitre_id": "G0018", "name": "admin@338", "type": "intrusion-set"}} | |
| {"text": "Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as \"living off the land\" techniques.", "spans": {"THREAT_ACTOR: Thrip": [[0, 5]]}, "info": {"id": "mitre_is_0112", "source": "mitre_attack", "mitre_id": "G0076", "name": "Thrip", "type": "intrusion-set"}} | |
| {"text": "EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.", "spans": {"THREAT_ACTOR: Wizard Spider": [[79, 92]], "THREAT_ACTOR: EXOTIC LILY": [[0, 11], [154, 165]], "MALWARE: Diavol": [[146, 152]], "MALWARE: Conti": [[136, 141]]}, "info": {"id": "mitre_is_0113", "source": "mitre_attack", "mitre_id": "G1011", "name": "EXOTIC LILY", "type": "intrusion-set"}} | |
| {"text": "TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.", "spans": {"THREAT_ACTOR: TA551": [[0, 5]]}, "info": {"id": "mitre_is_0114", "source": "mitre_attack", "mitre_id": "G0127", "name": "TA551", "type": "intrusion-set"}} | |
| {"text": "TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.", "spans": {"THREAT_ACTOR: TA505": [[0, 5], [74, 79]], "MALWARE: Clop": [[213, 217]]}, "info": {"id": "mitre_is_0115", "source": "mitre_attack", "mitre_id": "G0092", "name": "TA505", "type": "intrusion-set"}} | |
| {"text": "WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.", "spans": {"THREAT_ACTOR: WIRTE": [[0, 5], [73, 78]]}, "info": {"id": "mitre_is_0116", "source": "mitre_attack", "mitre_id": "G0090", "name": "WIRTE", "type": "intrusion-set"}} | |
| {"text": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.", "spans": {"THREAT_ACTOR: FIN10": [[0, 5]]}, "info": {"id": "mitre_is_0117", "source": "mitre_attack", "mitre_id": "G0051", "name": "FIN10", "type": "intrusion-set"}} | |
| {"text": "TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.", "spans": {"MALWARE: Latrodectus": [[134, 145]], "MALWARE: Pikabot": [[72, 79]], "MALWARE: QakBot": [[61, 67]], "THREAT_ACTOR: TA577": [[0, 5]]}, "info": {"id": "mitre_is_0118", "source": "mitre_attack", "mitre_id": "G1037", "name": "TA577", "type": "intrusion-set"}} | |
| {"text": "APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.", "spans": {"THREAT_ACTOR: APT-C-36": [[0, 8]]}, "info": {"id": "mitre_is_0119", "source": "mitre_attack", "mitre_id": "G0099", "name": "APT-C-36", "type": "intrusion-set"}} | |
| {"text": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", "spans": {"THREAT_ACTOR: Naikon": [[86, 92]], "THREAT_ACTOR: APT30": [[0, 5], [126, 131]]}, "info": {"id": "mitre_is_0120", "source": "mitre_attack", "mitre_id": "G0013", "name": "APT30", "type": "intrusion-set"}} | |
| {"text": "BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.", "spans": {"THREAT_ACTOR: BlackTech": [[0, 9], [186, 195]]}, "info": {"id": "mitre_is_0121", "source": "mitre_attack", "mitre_id": "G0098", "name": "BlackTech", "type": "intrusion-set"}} | |
| {"text": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.", "spans": {"THREAT_ACTOR: APT33": [[0, 5]]}, "info": {"id": "mitre_is_0122", "source": "mitre_attack", "mitre_id": "G0064", "name": "APT33", "type": "intrusion-set"}} | |
| {"text": "Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the \"I am meta\" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.", "spans": {"THREAT_ACTOR: Metador": [[0, 7], [88, 95], [271, 278]]}, "info": {"id": "mitre_is_0123", "source": "mitre_attack", "mitre_id": "G1013", "name": "Metador", "type": "intrusion-set"}} | |
| {"text": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[0, 13]]}, "info": {"id": "mitre_is_0124", "source": "mitre_attack", "mitre_id": "G0060", "name": "BRONZE BUTLER", "type": "intrusion-set"}} | |
| {"text": "Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.", "spans": {"THREAT_ACTOR: Daggerfly": [[0, 9], [88, 97], [205, 214]], "MALWARE: MgBot": [[251, 256]]}, "info": {"id": "mitre_is_0125", "source": "mitre_attack", "mitre_id": "G1034", "name": "Daggerfly", "type": "intrusion-set"}} | |
| {"text": "Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.", "spans": {"THREAT_ACTOR: Nomadic Octopus": [[0, 15], [197, 212]], "SYSTEM: Windows": [[274, 281]], "SYSTEM: Android": [[262, 269]]}, "info": {"id": "mitre_is_0126", "source": "mitre_attack", "mitre_id": "G0133", "name": "Nomadic Octopus", "type": "intrusion-set"}} | |
| {"text": "Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.", "spans": {"THREAT_ACTOR: Lotus Blossom": [[0, 13], [157, 170]]}, "info": {"id": "mitre_is_0127", "source": "mitre_attack", "mitre_id": "G0030", "name": "Lotus Blossom", "type": "intrusion-set"}} | |
| {"text": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.", "spans": {"THREAT_ACTOR: FIN5": [[0, 4]]}, "info": {"id": "mitre_is_0128", "source": "mitre_attack", "mitre_id": "G0053", "name": "FIN5", "type": "intrusion-set"}} | |
| {"text": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.", "spans": {"THREAT_ACTOR: TEMP.Veles": [[0, 10]]}, "info": {"id": "mitre_is_0129", "source": "mitre_attack", "mitre_id": "G0088", "name": "TEMP.Veles", "type": "intrusion-set"}} | |
| {"text": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.", "spans": {"ORGANIZATION: United Nations": [[151, 165]], "THREAT_ACTOR: BlackOasis": [[0, 10], [335, 345]], "THREAT_ACTOR: NEODYMIUM": [[287, 296]], "ORGANIZATION: Microsoft": [[274, 283]]}, "info": {"id": "mitre_is_0130", "source": "mitre_attack", "mitre_id": "G0063", "name": "BlackOasis", "type": "intrusion-set"}} | |
| {"text": "menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.\n\nmenuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.", "spans": {"ORGANIZATION: Ministry of State Security": [[156, 182]], "THREAT_ACTOR: menuPass": [[0, 8], [91, 99], [300, 308]]}, "info": {"id": "mitre_is_0131", "source": "mitre_attack", "mitre_id": "G0045", "name": "menuPass", "type": "intrusion-set"}} | |
| {"text": "The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.", "spans": {"THREAT_ACTOR: The White Company": [[0, 17]]}, "info": {"id": "mitre_is_0132", "source": "mitre_attack", "mitre_id": "G0089", "name": "The White Company", "type": "intrusion-set"}} | |
| {"text": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.", "spans": {"THREAT_ACTOR: APT16": [[0, 5]]}, "info": {"id": "mitre_is_0133", "source": "mitre_attack", "mitre_id": "G0023", "name": "APT16", "type": "intrusion-set"}} | |
| {"text": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).", "spans": {"MALWARE: RTM": [[0, 3], [212, 215]]}, "info": {"id": "mitre_is_0134", "source": "mitre_attack", "mitre_id": "G0048", "name": "RTM", "type": "intrusion-set"}} | |
| {"text": "Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam.", "spans": {"THREAT_ACTOR: Mustang Panda": [[0, 13], [117, 130], [228, 241]]}, "info": {"id": "mitre_is_0135", "source": "mitre_attack", "mitre_id": "G0129", "name": "Mustang Panda", "type": "intrusion-set"}} | |
| {"text": "NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.", "spans": {"THREAT_ACTOR: PROMETHIUM": [[182, 192]], "THREAT_ACTOR: BlackOasis": [[297, 307]], "THREAT_ACTOR: NEODYMIUM": [[0, 9], [249, 258]]}, "info": {"id": "mitre_is_0136", "source": "mitre_attack", "mitre_id": "G0055", "name": "NEODYMIUM", "type": "intrusion-set"}} | |
| {"text": "Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.", "spans": {"THREAT_ACTOR: Velvet Ant": [[0, 10], [60, 70]]}, "info": {"id": "mitre_is_0137", "source": "mitre_attack", "mitre_id": "G1047", "name": "Velvet Ant", "type": "intrusion-set"}} | |
| {"text": "APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.", "spans": {"TOOL: attrib": [[38, 44]], "THREAT_ACTOR: APT12": [[0, 5]]}, "info": {"id": "mitre_is_0138", "source": "mitre_attack", "mitre_id": "G0005", "name": "APT12", "type": "intrusion-set"}} | |
| {"text": "APT-C-23 is a threat group that has been active since at least 2014. APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.", "spans": {"THREAT_ACTOR: APT-C-23": [[0, 8], [69, 77], [170, 178]], "SYSTEM: Android": [[218, 225]], "SYSTEM: iOS": [[230, 233]]}, "info": {"id": "mitre_is_0139", "source": "mitre_attack", "mitre_id": "G1028", "name": "APT-C-23", "type": "intrusion-set"}} | |
| {"text": "The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.", "spans": {"THREAT_ACTOR: Windigo": [[4, 11], [220, 227]], "MALWARE: Ebury": [[117, 122], [257, 262]], "SYSTEM: Linux": [[84, 89]], "SYSTEM: SSH": [[123, 126]]}, "info": {"id": "mitre_is_0140", "source": "mitre_attack", "mitre_id": "G0124", "name": "Windigo", "type": "intrusion-set"}} | |
| {"text": "Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.", "spans": {"THREAT_ACTOR: Cobalt Group": [[174, 186]], "MALWARE: Carbanak": [[0, 8], [48, 56], [119, 127], [216, 224]], "THREAT_ACTOR: FIN7": [[191, 195]]}, "info": {"id": "mitre_is_0141", "source": "mitre_attack", "mitre_id": "G0008", "name": "Carbanak", "type": "intrusion-set"}} | |
| {"text": "Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.", "spans": {"THREAT_ACTOR: Cinnamon Tempest": [[0, 16], [168, 184], [470, 486]], "TOOL: attrib": [[420, 426]], "MALWARE: Babuk": [[149, 154]]}, "info": {"id": "mitre_is_0142", "source": "mitre_attack", "mitre_id": "G1021", "name": "Cinnamon Tempest", "type": "intrusion-set"}} | |
| {"text": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.", "spans": {"MALWARE: NanoCore": [[325, 333]], "SYSTEM: Android": [[349, 356]], "THREAT_ACTOR: Group5": [[0, 6], [248, 254]], "TOOL: attrib": [[69, 75]], "MALWARE: njRAT": [[315, 320]]}, "info": {"id": "mitre_is_0143", "source": "mitre_attack", "mitre_id": "G0043", "name": "Group5", "type": "intrusion-set"}} | |
| {"text": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.", "spans": {"ORGANIZATION: Ministry of State Security": [[79, 105]], "TOOL: attrib": [[57, 63]], "THREAT_ACTOR: APT3": [[0, 4]]}, "info": {"id": "mitre_is_0144", "source": "mitre_attack", "mitre_id": "G0022", "name": "APT3", "type": "intrusion-set"}} | |
| {"text": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.", "spans": {"THREAT_ACTOR: CopyKittens": [[0, 11]]}, "info": {"id": "mitre_is_0145", "source": "mitre_attack", "mitre_id": "G0052", "name": "CopyKittens", "type": "intrusion-set"}} | |
| {"text": "MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.", "spans": {"THREAT_ACTOR: MuddyWater": [[0, 10], [156, 166]]}, "info": {"id": "mitre_is_0146", "source": "mitre_attack", "mitre_id": "G0069", "name": "MuddyWater", "type": "intrusion-set"}} | |
| {"text": "Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).", "spans": {"THREAT_ACTOR: Silent Librarian": [[0, 16], [185, 201]]}, "info": {"id": "mitre_is_0147", "source": "mitre_attack", "mitre_id": "G0122", "name": "Silent Librarian", "type": "intrusion-set"}} | |
| {"text": "Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).", "spans": {"THREAT_ACTOR: Salt Typhoon": [[0, 12]]}, "info": {"id": "mitre_is_0148", "source": "mitre_attack", "mitre_id": "G1045", "name": "Salt Typhoon", "type": "intrusion-set"}} | |
| {"text": "Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.\n\nNorth Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.", "spans": {"ORGANIZATION: Reconnaissance General Bureau": [[85, 114]], "THREAT_ACTOR: Lazarus Group": [[0, 13], [122, 135], [353, 366], [828, 841]], "TOOL: attrib": [[67, 73], [747, 753]], "MALWARE: Flame": [[427, 432]]}, "info": {"id": "mitre_is_0149", "source": "mitre_attack", "mitre_id": "G0032", "name": "Lazarus Group", "type": "intrusion-set"}} | |
| {"text": "DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.", "spans": {"THREAT_ACTOR: DarkHydrus": [[0, 10]]}, "info": {"id": "mitre_is_0150", "source": "mitre_attack", "mitre_id": "G0079", "name": "DarkHydrus", "type": "intrusion-set"}} | |
| {"text": "SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.", "spans": {"THREAT_ACTOR: SilverTerrier": [[0, 13], [79, 92]]}, "info": {"id": "mitre_is_0151", "source": "mitre_attack", "mitre_id": "G0083", "name": "SilverTerrier", "type": "intrusion-set"}} | |
| {"text": "MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.", "spans": {"THREAT_ACTOR: MoustachedBouncer": [[0, 17]]}, "info": {"id": "mitre_is_0152", "source": "mitre_attack", "mitre_id": "G1019", "name": "MoustachedBouncer", "type": "intrusion-set"}} | |
| {"text": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.", "spans": {"TOOL: attrib": [[45, 51]], "THREAT_ACTOR: APT1": [[0, 4]]}, "info": {"id": "mitre_is_0153", "source": "mitre_attack", "mitre_id": "G0006", "name": "APT1", "type": "intrusion-set"}} | |
| {"text": "Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.", "spans": {"THREAT_ACTOR: Darkhotel": [[0, 9], [269, 278]]}, "info": {"id": "mitre_is_0154", "source": "mitre_attack", "mitre_id": "G0012", "name": "Darkhotel", "type": "intrusion-set"}} | |
| {"text": "Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.", "spans": {"THREAT_ACTOR: Transparent Tribe": [[0, 17]]}, "info": {"id": "mitre_is_0155", "source": "mitre_attack", "mitre_id": "G0134", "name": "Transparent Tribe", "type": "intrusion-set"}} | |
| {"text": "Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word \"Armageddon,\" found in early campaigns.\n\nIn November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers.", "spans": {"ORGANIZATION: Federal Security Service": [[392, 416]], "THREAT_ACTOR: Gamaredon Group": [[0, 15], [205, 220], [364, 379]], "THREAT_ACTOR: Armageddon": [[261, 271]], "TOOL: attrib": [[353, 359]], "ORGANIZATION: FSB": [[418, 421]]}, "info": {"id": "mitre_is_0156", "source": "mitre_attack", "mitre_id": "G0047", "name": "Gamaredon Group", "type": "intrusion-set"}} | |
| {"text": "Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.", "spans": {"THREAT_ACTOR: Blue Mockingbird": [[0, 16], [176, 192]], "SYSTEM: Windows": [[137, 144]]}, "info": {"id": "mitre_is_0157", "source": "mitre_attack", "mitre_id": "G0108", "name": "Blue Mockingbird", "type": "intrusion-set"}} | |
| {"text": "Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.", "spans": {"THREAT_ACTOR: Magic Hound": [[0, 11]]}, "info": {"id": "mitre_is_0158", "source": "mitre_attack", "mitre_id": "G0059", "name": "Magic Hound", "type": "intrusion-set"}} | |
| {"text": "Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.", "spans": {"THREAT_ACTOR: Water Galura": [[0, 12], [222, 234]], "MALWARE: Qilin": [[38, 43], [166, 171]]}, "info": {"id": "mitre_is_0159", "source": "mitre_attack", "mitre_id": "G1050", "name": "Water Galura", "type": "intrusion-set"}} | |
| {"text": "Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.", "spans": {"THREAT_ACTOR: Sea Turtle": [[0, 10], [187, 197], [388, 398]], "SYSTEM: DNS": [[262, 265], [318, 321], [342, 345]]}, "info": {"id": "mitre_is_0160", "source": "mitre_attack", "mitre_id": "G1041", "name": "Sea Turtle", "type": "intrusion-set"}} | |
| {"text": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.", "spans": {"THREAT_ACTOR: Equation": [[0, 8]]}, "info": {"id": "mitre_is_0161", "source": "mitre_attack", "mitre_id": "G0020", "name": "Equation", "type": "intrusion-set"}} | |
| {"text": "Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address \"rocke@live.cn\" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.", "spans": {"TOOL: attrib": [[395, 401]], "THREAT_ACTOR: Rocke": [[0, 5], [189, 194], [346, 351]]}, "info": {"id": "mitre_is_0162", "source": "mitre_attack", "mitre_id": "G0106", "name": "Rocke", "type": "intrusion-set"}} | |
| {"text": "Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with \"double extortion\" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.", "spans": {"SYSTEM: Windows": [[574, 581]], "MALWARE: Akira": [[0, 5], [97, 102], [291, 296], [517, 522]], "MALWARE: Conti": [[636, 641]]}, "info": {"id": "mitre_is_0163", "source": "mitre_attack", "mitre_id": "G1024", "name": "Akira", "type": "intrusion-set"}} | |
| {"text": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[0, 13], [282, 295]], "THREAT_ACTOR: Putter Panda": [[300, 312]]}, "info": {"id": "mitre_is_0164", "source": "mitre_attack", "mitre_id": "G0029", "name": "Scarlet Mimic", "type": "intrusion-set"}} | |
| {"text": "APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.\n\nIn April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.", "spans": {"THREAT_ACTOR: SolarStorm": [[632, 642]], "SYSTEM: SolarWinds": [[398, 408]], "THREAT_ACTOR: Dark Halo": [[617, 626]], "THREAT_ACTOR: The Dukes": [[494, 503]], "THREAT_ACTOR: Cozy Bear": [[479, 488]], "THREAT_ACTOR: NOBELIUM": [[590, 598]], "THREAT_ACTOR: UNC2452": [[581, 588]], "TOOL: attrib": [[36, 42], [383, 389]], "THREAT_ACTOR: APT29": [[0, 5], [246, 251], [472, 477]], "ORGANIZATION: NATO": [[185, 189]]}, "info": {"id": "mitre_is_0165", "source": "mitre_attack", "mitre_id": "G0016", "name": "APT29", "type": "intrusion-set"}} | |
| {"text": "Evilnum is a financially motivated threat group that has been active since at least 2018.", "spans": {"THREAT_ACTOR: Evilnum": [[0, 7]]}, "info": {"id": "mitre_is_0166", "source": "mitre_attack", "mitre_id": "G0120", "name": "Evilnum", "type": "intrusion-set"}} | |
| {"text": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "spans": {"MALWARE: PoisonIvy": [[317, 326]], "THREAT_ACTOR: DragonOK": [[0, 8], [147, 155]], "THREAT_ACTOR: Moafee": [[231, 237]], "MALWARE: PlugX": [[310, 315]]}, "info": {"id": "mitre_is_0167", "source": "mitre_attack", "mitre_id": "G0017", "name": "DragonOK", "type": "intrusion-set"}} | |
| {"text": "Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.", "spans": {"THREAT_ACTOR: Elderwood": [[0, 9]], "MALWARE: Aurora": [[136, 142]], "ORGANIZATION: Google": [[100, 106]]}, "info": {"id": "mitre_is_0168", "source": "mitre_attack", "mitre_id": "G0066", "name": "Elderwood", "type": "intrusion-set"}} | |
| {"text": "GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.", "spans": {"THREAT_ACTOR: GALLIUM": [[0, 7], [446, 453]]}, "info": {"id": "mitre_is_0169", "source": "mitre_attack", "mitre_id": "G0093", "name": "GALLIUM", "type": "intrusion-set"}} | |
| {"text": "Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.", "spans": {"THREAT_ACTOR: Aquatic Panda": [[0, 13], [159, 172]]}, "info": {"id": "mitre_is_0170", "source": "mitre_attack", "mitre_id": "G0143", "name": "Aquatic Panda", "type": "intrusion-set"}} | |
| {"text": "Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.", "spans": {"THREAT_ACTOR: Winter Vivern": [[0, 13]]}, "info": {"id": "mitre_is_0171", "source": "mitre_attack", "mitre_id": "G1035", "name": "Winter Vivern", "type": "intrusion-set"}} | |
| {"text": "Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.", "spans": {"MALWARE: Backdoor.Oldrea": [[0, 15], [107, 122]], "THREAT_ACTOR: Dragonfly": [[51, 60]]}, "info": {"id": "mitre_mw_0000", "source": "mitre_attack", "mitre_id": "S0093", "name": "Backdoor.Oldrea", "type": "malware"}} | |
| {"text": "XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.", "spans": {"MALWARE: XCSSET": [[0, 6]], "ORGANIZATION: Apple": [[315, 320]], "SYSTEM: macOS": [[20, 25]]}, "info": {"id": "mitre_mw_0001", "source": "mitre_attack", "mitre_id": "S0658", "name": "XCSSET", "type": "malware"}} | |
| {"text": "PinchDuke is malware that was used by APT29 from 2008 to 2010.", "spans": {"MALWARE: PinchDuke": [[0, 9]], "THREAT_ACTOR: APT29": [[38, 43]]}, "info": {"id": "mitre_mw_0002", "source": "mitre_attack", "mitre_id": "S0048", "name": "PinchDuke", "type": "malware"}} | |
| {"text": "DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.", "spans": {"THREAT_ACTOR: HEXANE": [[81, 87]], "MALWARE: DanBot": [[0, 6]]}, "info": {"id": "mitre_mw_0003", "source": "mitre_attack", "mitre_id": "S1014", "name": "DanBot", "type": "malware"}} | |
| {"text": "CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. It is tracked separately from the X-Agent for Android.", "spans": {"MALWARE: CHOPSTICK": [[0, 9]], "MALWARE: X-Agent": [[301, 308]], "SYSTEM: Windows": [[239, 246]], "SYSTEM: Android": [[313, 320]], "THREAT_ACTOR: APT28": [[59, 64]], "SYSTEM: Linux": [[251, 256]]}, "info": {"id": "mitre_mw_0004", "source": "mitre_attack", "mitre_id": "S0023", "name": "CHOPSTICK", "type": "malware"}} | |
| {"text": "Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.", "spans": {"SYSTEM: SolarWinds": [[257, 267]], "ORGANIZATION: Microsoft": [[159, 168]], "THREAT_ACTOR: APT29": [[243, 248]], "MALWARE: Sibot": [[0, 5], [186, 191]]}, "info": {"id": "mitre_mw_0005", "source": "mitre_attack", "mitre_id": "S0589", "name": "Sibot", "type": "malware"}} | |
| {"text": "MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[91, 104]], "MALWARE: MobileOrder": [[0, 11]], "SYSTEM: Android": [[47, 54]]}, "info": {"id": "mitre_mw_0006", "source": "mitre_attack", "mitre_id": "S0079", "name": "MobileOrder", "type": "malware"}} | |
| {"text": "MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.", "spans": {"THREAT_ACTOR: Ferocious Kitten": [[91, 107]], "MALWARE: MarkiRAT": [[0, 8]]}, "info": {"id": "mitre_mw_0007", "source": "mitre_attack", "mitre_id": "S0652", "name": "MarkiRAT", "type": "malware"}} | |
| {"text": "StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.", "spans": {"THREAT_ACTOR: Moses Staff": [[58, 69]], "MALWARE: StrifeWater": [[0, 11]]}, "info": {"id": "mitre_mw_0008", "source": "mitre_attack", "mitre_id": "S1034", "name": "StrifeWater", "type": "malware"}} | |
| {"text": "TrailBlazer is a modular malware that has been used by APT29 since at least 2019.", "spans": {"MALWARE: TrailBlazer": [[0, 11]], "THREAT_ACTOR: APT29": [[55, 60]]}, "info": {"id": "mitre_mw_0009", "source": "mitre_attack", "mitre_id": "S0682", "name": "TrailBlazer", "type": "malware"}} | |
| {"text": "StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network.", "spans": {"THREAT_ACTOR: Mustang Panda": [[36, 49]], "MALWARE: StarProxy": [[0, 9]]}, "info": {"id": "mitre_mw_0010", "source": "mitre_attack", "mitre_id": "S1227", "name": "StarProxy", "type": "malware"}} | |
| {"text": "cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or \"secret knock\" before executing the attacker's code.", "spans": {"MALWARE: cd00r": [[0, 5], [114, 119]]}, "info": {"id": "mitre_mw_0011", "source": "mitre_attack", "mitre_id": "S1204", "name": "cd00r", "type": "malware"}} | |
| {"text": "Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.", "spans": {"SYSTEM: SolarWinds": [[116, 126]], "MALWARE: Raindrop": [[0, 8]], "THREAT_ACTOR: APT29": [[29, 34]]}, "info": {"id": "mitre_mw_0012", "source": "mitre_attack", "mitre_id": "S0565", "name": "Raindrop", "type": "malware"}} | |
| {"text": "Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.", "spans": {"MALWARE: Janicab": [[0, 7]]}, "info": {"id": "mitre_mw_0013", "source": "mitre_attack", "mitre_id": "S0163", "name": "Janicab", "type": "malware"}} | |
| {"text": "XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.", "spans": {"THREAT_ACTOR: Contagious Interview": [[282, 302]], "MALWARE: XORIndex Loader": [[0, 15], [144, 159], [193, 208], [304, 319]], "MALWARE: BeaverTail": [[124, 134]]}, "info": {"id": "mitre_mw_0014", "source": "mitre_attack", "mitre_id": "S1248", "name": "XORIndex Loader", "type": "malware"}} | |
| {"text": "Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.", "spans": {"MALWARE: Regin": [[0, 5], [144, 149]]}, "info": {"id": "mitre_mw_0015", "source": "mitre_attack", "mitre_id": "S0019", "name": "Regin", "type": "malware"}} | |
| {"text": "Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.", "spans": {"THREAT_ACTOR: Elderwood": [[44, 53]], "MALWARE: Hydraq": [[0, 6]], "MALWARE: Aurora": [[102, 108]], "ORGANIZATION: Google": [[66, 72]], "THREAT_ACTOR: APT17": [[227, 232]]}, "info": {"id": "mitre_mw_0016", "source": "mitre_attack", "mitre_id": "S0203", "name": "Hydraq", "type": "malware"}} | |
| {"text": "LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.", "spans": {"THREAT_ACTOR: APT28": [[32, 37]], "MALWARE: LoJax": [[0, 5]]}, "info": {"id": "mitre_mw_0017", "source": "mitre_attack", "mitre_id": "S0397", "name": "LoJax", "type": "malware"}} | |
| {"text": "DropBook is a Python-based backdoor compiled with PyInstaller.", "spans": {"MALWARE: DropBook": [[0, 8]], "SYSTEM: Python": [[14, 20]]}, "info": {"id": "mitre_mw_0018", "source": "mitre_attack", "mitre_id": "S0547", "name": "DropBook", "type": "malware"}} | |
| {"text": "Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.", "spans": {"MALWARE: Mis-Type": [[0, 8]]}, "info": {"id": "mitre_mw_0019", "source": "mitre_attack", "mitre_id": "S0084", "name": "Mis-Type", "type": "malware"}} | |
| {"text": "Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.", "spans": {"MALWARE: SodaMaster": [[121, 131]], "THREAT_ACTOR: menuPass": [[55, 63]], "MALWARE: Ecipekac": [[0, 8]], "MALWARE: FYAnti": [[137, 143]], "MALWARE: P8RAT": [[114, 119]]}, "info": {"id": "mitre_mw_0020", "source": "mitre_attack", "mitre_id": "S0624", "name": "Ecipekac", "type": "malware"}} | |
| {"text": "OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (`root` or `user`).", "spans": {"MALWARE: OSX_OCEANLOTUS.D": [[0, 16], [206, 222]], "THREAT_ACTOR: APT32": [[45, 50], [78, 83]], "SYSTEM: macOS": [[22, 27]]}, "info": {"id": "mitre_mw_0021", "source": "mitre_attack", "mitre_id": "S0352", "name": "OSX_OCEANLOTUS.D", "type": "malware"}} | |
| {"text": "INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.", "spans": {"MALWARE: INC Ransomware": [[0, 14], [146, 160]], "THREAT_ACTOR: INC Ransom": [[64, 74]]}, "info": {"id": "mitre_mw_0022", "source": "mitre_attack", "mitre_id": "S1139", "name": "INC Ransomware", "type": "malware"}} | |
| {"text": "LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.", "spans": {"MALWARE: LockBit 3.0": [[0, 11], [141, 152]], "MALWARE: LockBit 2.0": [[385, 396]], "MALWARE: BlackCat": [[120, 128]], "SYSTEM: Windows": [[288, 295]], "SYSTEM: VMware": [[300, 306]]}, "info": {"id": "mitre_mw_0023", "source": "mitre_attack", "mitre_id": "S1202", "name": "LockBit 3.0", "type": "malware"}} | |
| {"text": "yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages.", "spans": {"MALWARE: yty": [[0, 3]]}, "info": {"id": "mitre_mw_0024", "source": "mitre_attack", "mitre_id": "S0248", "name": "yty", "type": "malware"}} | |
| {"text": "Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.", "spans": {"THREAT_ACTOR: Fox Kitten": [[61, 71]], "MALWARE: Pay2Key": [[0, 7], [144, 151]]}, "info": {"id": "mitre_mw_0025", "source": "mitre_attack", "mitre_id": "S0556", "name": "Pay2Key", "type": "malware"}} | |
| {"text": "HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.", "spans": {"MALWARE: HermeticWiper": [[0, 13]]}, "info": {"id": "mitre_mw_0026", "source": "mitre_attack", "mitre_id": "S0697", "name": "HermeticWiper", "type": "malware"}} | |
| {"text": "Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.", "spans": {"MALWARE: Revenge RAT": [[155, 166]], "MALWARE: Agent Tesla": [[168, 179]], "TOOL: AsyncRAT": [[145, 153]], "MALWARE: NETWIRE": [[185, 192]], "MALWARE: Snip3": [[0, 5]]}, "info": {"id": "mitre_mw_0027", "source": "mitre_attack", "mitre_id": "S1086", "name": "Snip3", "type": "malware"}} | |
| {"text": "TRANSLATEXT is malware that is believed to be used by Kimsuky. TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.", "spans": {"MALWARE: TRANSLATEXT": [[0, 11], [63, 74]], "THREAT_ACTOR: Kimsuky": [[54, 61]], "ORGANIZATION: Google": [[92, 98], [123, 129]], "SYSTEM: Chrome": [[130, 136]]}, "info": {"id": "mitre_mw_0028", "source": "mitre_attack", "mitre_id": "S1201", "name": "TRANSLATEXT", "type": "malware"}} | |
| {"text": "UBoatRAT is a remote access tool that was identified in May 2017.", "spans": {"MALWARE: UBoatRAT": [[0, 8]]}, "info": {"id": "mitre_mw_0029", "source": "mitre_attack", "mitre_id": "S0333", "name": "UBoatRAT", "type": "malware"}} | |
| {"text": "DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.", "spans": {"MALWARE: Cobalt Strike": [[252, 265]], "MALWARE: DarkTortilla": [[0, 12], [115, 127]], "MALWARE: Agent Tesla": [[210, 221]], "MALWARE: NanoCore": [[233, 241]], "SYSTEM: .NET": [[38, 42]]}, "info": {"id": "mitre_mw_0030", "source": "mitre_attack", "mitre_id": "S1066", "name": "DarkTortilla", "type": "malware"}} | |
| {"text": "Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang.", "spans": {"MALWARE: Zebrocy": [[0, 7]], "THREAT_ACTOR: APT28": [[42, 47]], "SYSTEM: .NET": [[175, 179]]}, "info": {"id": "mitre_mw_0031", "source": "mitre_attack", "mitre_id": "S0251", "name": "Zebrocy", "type": "malware"}} | |
| {"text": "POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater.", "spans": {"THREAT_ACTOR: MuddyWater": [[62, 72]], "MALWARE: POWERSTATS": [[0, 10]], "SYSTEM: PowerShell": [[16, 26]]}, "info": {"id": "mitre_mw_0032", "source": "mitre_attack", "mitre_id": "S0223", "name": "POWERSTATS", "type": "malware"}} | |
| {"text": "Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name \"Moneybird\" is contained in the malware's ransom note and as strings in the executable.", "spans": {"MALWARE: Moneybird": [[0, 9], [94, 103]], "THREAT_ACTOR: Agrius": [[65, 71]]}, "info": {"id": "mitre_mw_0033", "source": "mitre_attack", "mitre_id": "S1137", "name": "Moneybird", "type": "malware"}} | |
| {"text": "SHUTTERSPEED is a backdoor used by APT37.", "spans": {"MALWARE: SHUTTERSPEED": [[0, 12]], "THREAT_ACTOR: APT37": [[35, 40]]}, "info": {"id": "mitre_mw_0034", "source": "mitre_attack", "mitre_id": "S0217", "name": "SHUTTERSPEED", "type": "malware"}} | |
| {"text": "AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.", "spans": {"MALWARE: AppleSeed": [[0, 9]], "THREAT_ACTOR: Kimsuky": [[46, 53]]}, "info": {"id": "mitre_mw_0035", "source": "mitre_attack", "mitre_id": "S0622", "name": "AppleSeed", "type": "malware"}} | |
| {"text": "RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.", "spans": {"MALWARE: RAPIDPULSE": [[0, 10]], "THREAT_ACTOR: APT5": [[112, 116]]}, "info": {"id": "mitre_mw_0036", "source": "mitre_attack", "mitre_id": "S1113", "name": "RAPIDPULSE", "type": "malware"}} | |
| {"text": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", "spans": {"MALWARE: GeminiDuke": [[0, 10]], "THREAT_ACTOR: APT29": [[39, 44]]}, "info": {"id": "mitre_mw_0037", "source": "mitre_attack", "mitre_id": "S0049", "name": "GeminiDuke", "type": "malware"}} | |
| {"text": "PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\\Users\\Public` or creating new directories to stage the malware and its components. PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.", "spans": {"FILEPATH: C:\\Users\\Public": [[102, 117]], "THREAT_ACTOR: Mustang Panda": [[431, 444]], "MALWARE: CLAIMLOADER": [[541, 552]], "MALWARE: PUBLOAD": [[0, 7], [188, 195], [344, 351], [446, 453]]}, "info": {"id": "mitre_mw_0038", "source": "mitre_attack", "mitre_id": "S1228", "name": "PUBLOAD", "type": "malware"}} | |
| {"text": "Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by Windigo. Ebury is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, Ebury has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.", "spans": {"THREAT_ACTOR: Windigo": [[109, 116]], "MALWARE: Ebury": [[0, 5], [118, 123], [260, 265]], "SYSTEM: Linux": [[62, 67]]}, "info": {"id": "mitre_mw_0039", "source": "mitre_attack", "mitre_id": "S0377", "name": "Ebury", "type": "malware"}} | |
| {"text": "SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.", "spans": {"THREAT_ACTOR: Sea Turtle": [[33, 43]], "MALWARE: SnappyTCP": [[0, 9], [92, 101], [205, 214]], "SYSTEM: GitHub": [[134, 140]], "SYSTEM: Linux": [[255, 260]]}, "info": {"id": "mitre_mw_0040", "source": "mitre_attack", "mitre_id": "S1163", "name": "SnappyTCP", "type": "malware"}} | |
| {"text": "ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[42, 55]], "MALWARE: ABK": [[0, 3]]}, "info": {"id": "mitre_mw_0041", "source": "mitre_attack", "mitre_id": "S0469", "name": "ABK", "type": "malware"}} | |
| {"text": "QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.", "spans": {"MALWARE: QUIETEXIT": [[0, 9], [161, 170]], "THREAT_ACTOR: APT29": [[115, 120], [142, 147]], "SYSTEM: SSH": [[65, 68]]}, "info": {"id": "mitre_mw_0042", "source": "mitre_attack", "mitre_id": "S1084", "name": "QUIETEXIT", "type": "malware"}} | |
| {"text": "Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process.", "spans": {"THREAT_ACTOR: Lazarus Group": [[36, 49]], "MALWARE: Proxysvc": [[0, 8], [221, 229]]}, "info": {"id": "mitre_mw_0043", "source": "mitre_attack", "mitre_id": "S0238", "name": "Proxysvc", "type": "malware"}} | |
| {"text": "Nebulae Is a backdoor that has been used by Naikon since at least 2020.", "spans": {"MALWARE: Nebulae": [[0, 7]], "THREAT_ACTOR: Naikon": [[44, 50]]}, "info": {"id": "mitre_mw_0044", "source": "mitre_attack", "mitre_id": "S0630", "name": "Nebulae", "type": "malware"}} | |
| {"text": "REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.", "spans": {"THREAT_ACTOR: GOLD SOUTHFIELD": [[57, 72]], "MALWARE: REvil": [[0, 5], [153, 158]]}, "info": {"id": "mitre_mw_0045", "source": "mitre_attack", "mitre_id": "S0496", "name": "REvil", "type": "malware"}} | |
| {"text": "PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare.", "spans": {"MALWARE: PoetRAT": [[0, 7], [81, 88], [298, 305]]}, "info": {"id": "mitre_mw_0046", "source": "mitre_attack", "mitre_id": "S0428", "name": "PoetRAT", "type": "malware"}} | |
| {"text": "FruitFly is designed to spy on mac users .", "spans": {"MALWARE: FruitFly": [[0, 8]]}, "info": {"id": "mitre_mw_0047", "source": "mitre_attack", "mitre_id": "S0277", "name": "FruitFly", "type": "malware"}} | |
| {"text": "BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the Agrius threat actor.", "spans": {"MALWARE: BFG Agonizer": [[0, 12]], "THREAT_ACTOR: Agrius": [[140, 146]]}, "info": {"id": "mitre_mw_0048", "source": "mitre_attack", "mitre_id": "S1136", "name": "BFG Agonizer", "type": "malware"}} | |
| {"text": "FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.", "spans": {"MALWARE: FrameworkPOS": [[0, 12]], "THREAT_ACTOR: FIN6": [[54, 58]]}, "info": {"id": "mitre_mw_0049", "source": "mitre_attack", "mitre_id": "S0503", "name": "FrameworkPOS", "type": "malware"}} | |
| {"text": "SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe. \n\nIn October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as \"IAmTheKing\". ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as \"PowerPool\".", "spans": {"MALWARE: SLOTHFULMEDIA": [[0, 13], [383, 396], [498, 511]], "ORGANIZATION: Kaspersky": [[359, 368]], "ORGANIZATION: ESET": [[458, 462]]}, "info": {"id": "mitre_mw_0050", "source": "mitre_attack", "mitre_id": "S0533", "name": "SLOTHFULMEDIA", "type": "malware"}} | |
| {"text": "Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.. The Linux variant is tracked separately under Winnti for Linux.", "spans": {"MALWARE: Winnti for Windows": [[0, 18]], "MALWARE: Winnti for Linux": [[282, 298]], "THREAT_ACTOR: Winnti Group": [[221, 233]], "SYSTEM: Linux": [[240, 245]]}, "info": {"id": "mitre_mw_0051", "source": "mitre_attack", "mitre_id": "S0141", "name": "Winnti for Windows", "type": "malware"}} | |
| {"text": "Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called \"Indra\" since at least 2019 against private companies in Syria.", "spans": {"MALWARE: Meteor": [[0, 6], [170, 176]]}, "info": {"id": "mitre_mw_0052", "source": "mitre_attack", "mitre_id": "S0688", "name": "Meteor", "type": "malware"}} | |
| {"text": "Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.", "spans": {"MALWARE: Caterpillar WebShell": [[0, 20]], "THREAT_ACTOR: Volatile Cedar": [[77, 91]]}, "info": {"id": "mitre_mw_0053", "source": "mitre_attack", "mitre_id": "S0572", "name": "Caterpillar WebShell", "type": "malware"}} | |
| {"text": "Revenge RAT is a freely available remote access tool written in .NET (C#).", "spans": {"MALWARE: Revenge RAT": [[0, 11]], "SYSTEM: .NET": [[64, 68]]}, "info": {"id": "mitre_mw_0054", "source": "mitre_attack", "mitre_id": "S0379", "name": "Revenge RAT", "type": "malware"}} | |
| {"text": "Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.", "spans": {"THREAT_ACTOR: HEXANE": [[108, 114]], "MALWARE: DanBot": [[37, 43]], "MALWARE: Milan": [[0, 5], [85, 90]], "SYSTEM: .NET": [[79, 83]]}, "info": {"id": "mitre_mw_0055", "source": "mitre_attack", "mitre_id": "S1015", "name": "Milan", "type": "malware"}} | |
| {"text": "StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.", "spans": {"MALWARE: StrelaStealer": [[0, 13], [120, 133]]}, "info": {"id": "mitre_mw_0056", "source": "mitre_attack", "mitre_id": "S1183", "name": "StrelaStealer", "type": "malware"}} | |
| {"text": "CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.", "spans": {"THREAT_ACTOR: Magic Hound": [[73, 84]], "MALWARE: CharmPower": [[0, 10]], "SYSTEM: PowerShell": [[16, 26]]}, "info": {"id": "mitre_mw_0057", "source": "mitre_attack", "mitre_id": "S0674", "name": "CharmPower", "type": "malware"}} | |
| {"text": "S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.", "spans": {"MALWARE: S-Type": [[0, 6]]}, "info": {"id": "mitre_mw_0058", "source": "mitre_attack", "mitre_id": "S0085", "name": "S-Type", "type": "malware"}} | |
| {"text": "Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model. This malware is operated, managed, and sold by the Malteiro cybercriminal group. Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.", "spans": {"THREAT_ACTOR: Malteiro": [[184, 192]], "MALWARE: Mispadu": [[0, 7], [214, 221]]}, "info": {"id": "mitre_mw_0059", "source": "mitre_attack", "mitre_id": "S1122", "name": "Mispadu", "type": "malware"}} | |
| {"text": "LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.", "spans": {"THREAT_ACTOR: ToddyCat": [[24, 32]], "MALWARE: LoFiSe": [[0, 6]]}, "info": {"id": "mitre_mw_0060", "source": "mitre_attack", "mitre_id": "S1101", "name": "LoFiSe", "type": "malware"}} | |
| {"text": "FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.", "spans": {"MALWARE: FlawedGrace": [[0, 11]]}, "info": {"id": "mitre_mw_0061", "source": "mitre_attack", "mitre_id": "S0383", "name": "FlawedGrace", "type": "malware"}} | |
| {"text": "First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.", "spans": {"MALWARE: LightSpy": [[24, 32], [363, 371]], "SYSTEM: Android": [[134, 141], [353, 360]], "SYSTEM: macOS": [[146, 151], [329, 334]], "SYSTEM: iOS": [[85, 88], [324, 327]]}, "info": {"id": "mitre_mw_0062", "source": "mitre_attack", "mitre_id": "S1185", "name": "LightSpy", "type": "malware"}} | |
| {"text": "IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at least 2022. IMAPLoader leverages email protocols for command and control and payload delivery.", "spans": {"MALWARE: IMAPLoader": [[0, 10], [109, 119]], "THREAT_ACTOR: CURIUM": [[70, 76]], "SYSTEM: .NET": [[16, 20]]}, "info": {"id": "mitre_mw_0063", "source": "mitre_attack", "mitre_id": "S1152", "name": "IMAPLoader", "type": "malware"}} | |
| {"text": "Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.", "spans": {"THREAT_ACTOR: Orangeworm": [[38, 48]], "MALWARE: Kwampirs": [[0, 8], [50, 58], [200, 208]], "MALWARE: Shamoon": [[246, 253]]}, "info": {"id": "mitre_mw_0064", "source": "mitre_attack", "mitre_id": "S0236", "name": "Kwampirs", "type": "malware"}} | |
| {"text": "POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors.", "spans": {"MALWARE: POSHSPY": [[0, 7]], "THREAT_ACTOR: APT29": [[44, 49]]}, "info": {"id": "mitre_mw_0065", "source": "mitre_attack", "mitre_id": "S0150", "name": "POSHSPY", "type": "malware"}} | |
| {"text": "P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.", "spans": {"MALWARE: P.A.S. Webshell": [[0, 15]]}, "info": {"id": "mitre_mw_0066", "source": "mitre_attack", "mitre_id": "S0598", "name": "P.A.S. Webshell", "type": "malware"}} | |
| {"text": "ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.", "spans": {"THREAT_ACTOR: Transparent Tribe": [[82, 99]], "MALWARE: ObliqueRAT": [[0, 10]], "MALWARE: Crimson": [[49, 56]]}, "info": {"id": "mitre_mw_0067", "source": "mitre_attack", "mitre_id": "S0644", "name": "ObliqueRAT", "type": "malware"}} | |
| {"text": "OnionDuke is malware that was used by APT29 from 2013 to 2015.", "spans": {"MALWARE: OnionDuke": [[0, 9]], "THREAT_ACTOR: APT29": [[38, 43]]}, "info": {"id": "mitre_mw_0068", "source": "mitre_attack", "mitre_id": "S0052", "name": "OnionDuke", "type": "malware"}} | |
| {"text": "Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.", "spans": {"THREAT_ACTOR: HEXANE": [[65, 71]], "MALWARE: Kevin": [[0, 5]]}, "info": {"id": "mitre_mw_0069", "source": "mitre_attack", "mitre_id": "S1020", "name": "Kevin", "type": "malware"}} | |
| {"text": "Pteranodon is a custom backdoor used by Gamaredon Group.", "spans": {"THREAT_ACTOR: Gamaredon Group": [[40, 55]], "MALWARE: Pteranodon": [[0, 10]]}, "info": {"id": "mitre_mw_0070", "source": "mitre_attack", "mitre_id": "S0147", "name": "Pteranodon", "type": "malware"}} | |
| {"text": "Micropsia is a remote access tool written in Delphi.", "spans": {"MALWARE: Micropsia": [[0, 9]]}, "info": {"id": "mitre_mw_0071", "source": "mitre_attack", "mitre_id": "S0339", "name": "Micropsia", "type": "malware"}} | |
| {"text": "Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.", "spans": {"MALWARE: Aria-body": [[0, 9]], "THREAT_ACTOR: Naikon": [[53, 59]]}, "info": {"id": "mitre_mw_0072", "source": "mitre_attack", "mitre_id": "S0456", "name": "Aria-body", "type": "malware"}} | |
| {"text": "Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of \"bumblebee\" in the user-agent.", "spans": {"MALWARE: Bumblebee": [[0, 9], [204, 213]], "MALWARE: Conti": [[265, 270]]}, "info": {"id": "mitre_mw_0073", "source": "mitre_attack", "mitre_id": "S1039", "name": "Bumblebee", "type": "malware"}} | |
| {"text": "ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice along with the CHIMNEYSWEEP backdoor.", "spans": {"MALWARE: CHIMNEYSWEEP": [[120, 132]], "MALWARE: ROADSWEEP": [[0, 9]]}, "info": {"id": "mitre_mw_0074", "source": "mitre_attack", "mitre_id": "S1150", "name": "ROADSWEEP", "type": "malware"}} | |
| {"text": "GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India.", "spans": {"MALWARE: GravityRAT": [[0, 10]]}, "info": {"id": "mitre_mw_0075", "source": "mitre_attack", "mitre_id": "S0237", "name": "GravityRAT", "type": "malware"}} | |
| {"text": "Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.", "spans": {"THREAT_ACTOR: Strider": [[51, 58]], "MALWARE: Remsec": [[0, 6]], "SYSTEM: Lua": [[162, 165]]}, "info": {"id": "mitre_mw_0076", "source": "mitre_attack", "mitre_id": "S0125", "name": "Remsec", "type": "malware"}} | |
| {"text": "PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including against government targets in the Middle East.", "spans": {"MALWARE: PowerExchange": [[0, 13]], "SYSTEM: PowerShell": [[19, 29]], "THREAT_ACTOR: OilRig": [[61, 67]]}, "info": {"id": "mitre_mw_0077", "source": "mitre_attack", "mitre_id": "S1173", "name": "PowerExchange", "type": "malware"}} | |
| {"text": "HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors.", "spans": {"THREAT_ACTOR: Leviathan": [[108, 117]], "MALWARE: HOMEFRY": [[0, 7]], "SYSTEM: Windows": [[20, 27]]}, "info": {"id": "mitre_mw_0078", "source": "mitre_attack", "mitre_id": "S0232", "name": "HOMEFRY", "type": "malware"}} | |
| {"text": "BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.", "spans": {"MALWARE: BACKSPACE": [[0, 9]], "THREAT_ACTOR: APT30": [[32, 37]]}, "info": {"id": "mitre_mw_0079", "source": "mitre_attack", "mitre_id": "S0031", "name": "BACKSPACE", "type": "malware"}} | |
| {"text": "Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.", "spans": {"MALWARE: Pony": [[0, 4], [136, 140]]}, "info": {"id": "mitre_mw_0080", "source": "mitre_attack", "mitre_id": "S0453", "name": "Pony", "type": "malware"}} | |
| {"text": "Ragnar Locker is a ransomware that has been in use since at least December 2019.", "spans": {"MALWARE: Ragnar Locker": [[0, 13]]}, "info": {"id": "mitre_mw_0081", "source": "mitre_attack", "mitre_id": "S0481", "name": "Ragnar Locker", "type": "malware"}} | |
| {"text": "Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program.", "spans": {"MALWARE: Mosquito": [[0, 8], [58, 66]], "THREAT_ACTOR: Turla": [[51, 56]]}, "info": {"id": "mitre_mw_0082", "source": "mitre_attack", "mitre_id": "S0256", "name": "Mosquito", "type": "malware"}} | |
| {"text": "SslMM is a full-featured backdoor used by Naikon that has multiple variants.", "spans": {"THREAT_ACTOR: Naikon": [[42, 48]], "MALWARE: SslMM": [[0, 5]]}, "info": {"id": "mitre_mw_0083", "source": "mitre_attack", "mitre_id": "S0058", "name": "SslMM", "type": "malware"}} | |
| {"text": "SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.", "spans": {"MALWARE: SLOWPULSE": [[0, 9], [126, 135]], "THREAT_ACTOR: APT5": [[40, 44]], "SYSTEM: VPN": [[196, 199]]}, "info": {"id": "mitre_mw_0084", "source": "mitre_attack", "mitre_id": "S1104", "name": "SLOWPULSE", "type": "malware"}} | |
| {"text": "Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018.", "spans": {"MALWARE: Cannon": [[0, 6]]}, "info": {"id": "mitre_mw_0085", "source": "mitre_attack", "mitre_id": "S0351", "name": "Cannon", "type": "malware"}} | |
| {"text": "Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023 to target Windows environments. Megazord has been attributed to the Akira group based on overlapping infrastructure though is possibly not exclusive to the group.", "spans": {"MALWARE: Megazord": [[0, 8], [133, 141]], "SYSTEM: Windows": [[111, 118]], "TOOL: attrib": [[151, 157]], "MALWARE: Akira": [[36, 41], [169, 174]]}, "info": {"id": "mitre_mw_0086", "source": "mitre_attack", "mitre_id": "S1191", "name": "Megazord", "type": "malware"}} | |
| {"text": "Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector.", "spans": {"THREAT_ACTOR: Lazarus Group": [[132, 145]], "MALWARE: Bankshot": [[0, 8], [155, 163]]}, "info": {"id": "mitre_mw_0087", "source": "mitre_attack", "mitre_id": "S0239", "name": "Bankshot", "type": "malware"}} | |
| {"text": "Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.", "spans": {"MALWARE: Exaramel for Windows": [[0, 20]], "MALWARE: Exaramel for Linux": [[117, 135]], "SYSTEM: Windows": [[54, 61]], "SYSTEM: Linux": [[75, 80]]}, "info": {"id": "mitre_mw_0088", "source": "mitre_attack", "mitre_id": "S0343", "name": "Exaramel for Windows", "type": "malware"}} | |
| {"text": "USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.", "spans": {"MALWARE: ADVSTORESHELL": [[222, 235]], "MALWARE: USBStealer": [[0, 10]], "THREAT_ACTOR: APT28": [[44, 49]]}, "info": {"id": "mitre_mw_0089", "source": "mitre_attack", "mitre_id": "S0136", "name": "USBStealer", "type": "malware"}} | |
| {"text": "PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. PAKLOG is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious PAKLOG DLL (pa_lang2.dll). The PACLOUD.exe binary is used to side-load the PAKLOG DLL which starts with the keylogger functionality.", "spans": {"THREAT_ACTOR: Mustang Panda": [[47, 60]], "MALWARE: PAKLOG": [[0, 6], [102, 108], [242, 248], [317, 323]]}, "info": {"id": "mitre_mw_0090", "source": "mitre_attack", "mitre_id": "S1233", "name": "PAKLOG", "type": "malware"}} | |
| {"text": "SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.", "spans": {"MALWARE: SUGARDUMP": [[0, 9], [130, 139]], "SYSTEM: HTTP": [[257, 261]]}, "info": {"id": "mitre_mw_0091", "source": "mitre_attack", "mitre_id": "S1042", "name": "SUGARDUMP", "type": "malware"}} | |
| {"text": "Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. Latrodectus has most often been distributed through email campaigns, primarily by TA577 and TA578, and has infrastructure overlaps with historic IcedID operations.", "spans": {"MALWARE: Latrodectus": [[0, 11], [140, 151]], "SYSTEM: Windows": [[17, 24]], "MALWARE: IcedID": [[285, 291]], "THREAT_ACTOR: TA578": [[232, 237]], "THREAT_ACTOR: TA577": [[222, 227]]}, "info": {"id": "mitre_mw_0092", "source": "mitre_attack", "mitre_id": "S1160", "name": "Latrodectus", "type": "malware"}} | |
| {"text": "ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.", "spans": {"MALWARE: Agent.btz": [[68, 77]], "MALWARE: ComRAT": [[0, 6], [118, 124]], "THREAT_ACTOR: Turla": [[90, 95]]}, "info": {"id": "mitre_mw_0093", "source": "mitre_attack", "mitre_id": "S0126", "name": "ComRAT", "type": "malware"}} | |
| {"text": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”", "spans": {"MALWARE: NETEAGLE": [[0, 8]], "THREAT_ACTOR: APT30": [[36, 41]]}, "info": {"id": "mitre_mw_0094", "source": "mitre_attack", "mitre_id": "S0034", "name": "NETEAGLE", "type": "malware"}} | |
| {"text": "China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. It has been used by several threat groups.", "spans": {"MALWARE: China Chopper": [[0, 13]]}, "info": {"id": "mitre_mw_0095", "source": "mitre_attack", "mitre_id": "S0020", "name": "China Chopper", "type": "malware"}} | |
| {"text": "Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.", "spans": {"MALWARE: Crutch": [[0, 6]], "THREAT_ACTOR: Turla": [[71, 76]]}, "info": {"id": "mitre_mw_0096", "source": "mitre_attack", "mitre_id": "S0538", "name": "Crutch", "type": "malware"}} | |
| {"text": "RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD.", "spans": {"MALWARE: DRIFTWOOD": [[202, 211]], "MALWARE: FIENDCRY": [[179, 187]], "MALWARE: DUEBREW": [[189, 196]], "ORGANIZATION: FireEye": [[133, 140]], "MALWARE: RawPOS": [[0, 6], [149, 155]]}, "info": {"id": "mitre_mw_0097", "source": "mitre_attack", "mitre_id": "S0169", "name": "RawPOS", "type": "malware"}} | |
| {"text": "Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.", "spans": {"THREAT_ACTOR: Saint Bear": [[53, 63]], "MALWARE: Saint Bot": [[0, 9]], "SYSTEM: .NET": [[15, 19]]}, "info": {"id": "mitre_mw_0098", "source": "mitre_attack", "mitre_id": "S1018", "name": "Saint Bot", "type": "malware"}} | |
| {"text": "KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.", "spans": {"SYSTEM: JavaScript": [[15, 25]], "MALWARE: KOPILUWAK": [[0, 9]]}, "info": {"id": "mitre_mw_0099", "source": "mitre_attack", "mitre_id": "S1075", "name": "KOPILUWAK", "type": "malware"}} | |
| {"text": "BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.", "spans": {"MALWARE: BUBBLEWRAP": [[0, 10]], "THREAT_ACTOR: admin@338": [[65, 74]]}, "info": {"id": "mitre_mw_0100", "source": "mitre_attack", "mitre_id": "S0043", "name": "BUBBLEWRAP", "type": "malware"}} | |
| {"text": "DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.", "spans": {"MALWARE: DEATHRANSOM": [[0, 11]], "MALWARE: HELLOKITTY": [[124, 134]], "MALWARE: FIVEHANDS": [[110, 119]]}, "info": {"id": "mitre_mw_0101", "source": "mitre_attack", "mitre_id": "S0616", "name": "DEATHRANSOM", "type": "malware"}} | |
| {"text": "BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs. The record for BOLDMOVE only covers known Linux variants.", "spans": {"CVE_ID: CVE-2022-42475": [[301, 315]], "MALWARE: BOLDMOVE": [[0, 8], [124, 132], [254, 262], [353, 361]], "SYSTEM: Windows": [[147, 154]], "SYSTEM: Linux": [[159, 164], [185, 190], [380, 385]]}, "info": {"id": "mitre_mw_0102", "source": "mitre_attack", "mitre_id": "S1184", "name": "BOLDMOVE", "type": "malware"}} | |
| {"text": "GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.", "spans": {"MALWARE: GoldenSpy": [[0, 9], [98, 107]]}, "info": {"id": "mitre_mw_0103", "source": "mitre_attack", "mitre_id": "S0493", "name": "GoldenSpy", "type": "malware"}} | |
| {"text": "Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as \"Operation Manul\".", "spans": {"THREAT_ACTOR: Dark Caracal": [[299, 311]], "MALWARE: Bandook": [[0, 7], [274, 281]]}, "info": {"id": "mitre_mw_0104", "source": "mitre_attack", "mitre_id": "S0234", "name": "Bandook", "type": "malware"}} | |
| {"text": "CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.\n\nPOLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.", "spans": {"MALWARE: CreepyDrive": [[0, 11]], "THREAT_ACTOR: POLONIUM": [[49, 57], [153, 161]], "SYSTEM: OneDrive": [[133, 141]]}, "info": {"id": "mitre_mw_0105", "source": "mitre_attack", "mitre_id": "S1023", "name": "CreepyDrive", "type": "malware"}} | |
| {"text": "IPsec Helper is a post-exploitation remote access tool linked to Agrius operations. This malware shares significant programming and functional overlaps with Apostle ransomware, also linked to Agrius. IPsec Helper provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.", "spans": {"MALWARE: IPsec Helper": [[0, 12], [200, 212]], "MALWARE: Apostle": [[157, 164]], "THREAT_ACTOR: Agrius": [[65, 71], [192, 198]]}, "info": {"id": "mitre_mw_0106", "source": "mitre_attack", "mitre_id": "S1132", "name": "IPsec Helper", "type": "malware"}} | |
| {"text": "KEYMARBLE is a Trojan that has reportedly been used by the North Korean government.", "spans": {"MALWARE: KEYMARBLE": [[0, 9]]}, "info": {"id": "mitre_mw_0107", "source": "mitre_attack", "mitre_id": "S0271", "name": "KEYMARBLE", "type": "malware"}} | |
| {"text": "WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.", "spans": {"MALWARE: WellMail": [[0, 8]], "MALWARE: WellMess": [[102, 110]], "THREAT_ACTOR: APT29": [[60, 65]]}, "info": {"id": "mitre_mw_0108", "source": "mitre_attack", "mitre_id": "S0515", "name": "WellMail", "type": "malware"}} | |
| {"text": "FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[66, 79]], "SYSTEM: Windows": [[27, 34]], "MALWARE: FakeM": [[0, 5]]}, "info": {"id": "mitre_mw_0109", "source": "mitre_attack", "mitre_id": "S0076", "name": "FakeM", "type": "malware"}} | |
| {"text": "PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry.", "spans": {"MALWARE: PUNCHBUGGY": [[0, 10]], "THREAT_ACTOR: FIN8": [[41, 45]]}, "info": {"id": "mitre_mw_0110", "source": "mitre_attack", "mitre_id": "S0196", "name": "PUNCHBUGGY", "type": "malware"}} | |
| {"text": "Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.", "spans": {"THREAT_ACTOR: ToddyCat": [[58, 66], [211, 219]], "MALWARE: Samurai": [[434, 441]], "MALWARE: Ninja": [[0, 5], [137, 142], [294, 299]]}, "info": {"id": "mitre_mw_0111", "source": "mitre_attack", "mitre_id": "S1100", "name": "Ninja", "type": "malware"}} | |
| {"text": "BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.", "spans": {"MALWARE: BADHATCH": [[0, 8], [75, 83]], "THREAT_ACTOR: FIN8": [[49, 53]]}, "info": {"id": "mitre_mw_0112", "source": "mitre_attack", "mitre_id": "S1081", "name": "BADHATCH", "type": "malware"}} | |
| {"text": "Cobian RAT is a backdoor, remote access tool that has been observed since 2016.", "spans": {"MALWARE: Cobian RAT": [[0, 10]]}, "info": {"id": "mitre_mw_0113", "source": "mitre_attack", "mitre_id": "S0338", "name": "Cobian RAT", "type": "malware"}} | |
| {"text": "DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.", "spans": {"MALWARE: DnsSystem": [[0, 9]], "THREAT_ACTOR: HEXANE": [[125, 131]], "SYSTEM: .NET": [[15, 19]], "SYSTEM: DNS": [[26, 29]]}, "info": {"id": "mitre_mw_0114", "source": "mitre_attack", "mitre_id": "S1021", "name": "DnsSystem", "type": "malware"}} | |
| {"text": "J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first observed during the J-magic Campaign in mid-2023. J-magic monitors TCP traffic for five predefined parameters or \"magic packets\" to be sent by the attackers before activating on compromised devices.", "spans": {"MALWARE: J-magic": [[0, 7], [120, 127], [150, 157]], "MALWARE: cd00r": [[35, 40]], "TOOL: route": [[77, 82]]}, "info": {"id": "mitre_mw_0115", "source": "mitre_attack", "mitre_id": "S1203", "name": "J-magic", "type": "malware"}} | |
| {"text": "DealersChoice is a Flash exploitation framework used by APT28.", "spans": {"MALWARE: DealersChoice": [[0, 13]], "THREAT_ACTOR: APT28": [[56, 61]]}, "info": {"id": "mitre_mw_0116", "source": "mitre_attack", "mitre_id": "S0243", "name": "DealersChoice", "type": "malware"}} | |
| {"text": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.", "spans": {"MALWARE: Redaman": [[150, 157]], "MALWARE: RTM": [[0, 3], [83, 86]]}, "info": {"id": "mitre_mw_0117", "source": "mitre_attack", "mitre_id": "S0148", "name": "RTM", "type": "malware"}} | |
| {"text": "BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.", "spans": {"MALWARE: BOOTRASH": [[0, 8]], "SYSTEM: Windows": [[35, 42]]}, "info": {"id": "mitre_mw_0118", "source": "mitre_attack", "mitre_id": "S0114", "name": "BOOTRASH", "type": "malware"}} | |
| {"text": "FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.", "spans": {"TOOL: QuasarRAT": [[91, 100]], "THREAT_ACTOR: menuPass": [[41, 49]], "MALWARE: FYAnti": [[0, 6]]}, "info": {"id": "mitre_mw_0119", "source": "mitre_attack", "mitre_id": "S0628", "name": "FYAnti", "type": "malware"}} | |
| {"text": "CloudDuke is malware that was used by APT29 in 2015.", "spans": {"MALWARE: CloudDuke": [[0, 9]], "THREAT_ACTOR: APT29": [[38, 43]]}, "info": {"id": "mitre_mw_0120", "source": "mitre_attack", "mitre_id": "S0054", "name": "CloudDuke", "type": "malware"}} | |
| {"text": "LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.", "spans": {"MALWARE: LoudMiner": [[0, 9]], "SYSTEM: Windows": [[185, 192]], "SYSTEM: macOS": [[197, 202]]}, "info": {"id": "mitre_mw_0121", "source": "mitre_attack", "mitre_id": "S0451", "name": "LoudMiner", "type": "malware"}} | |
| {"text": "TONESHELL is a custom backdoor that has been used since at least Q1 2021. TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.", "spans": {"THREAT_ACTOR: Mustang Panda": [[165, 178]], "MALWARE: TONESHELL": [[0, 9], [74, 83]]}, "info": {"id": "mitre_mw_0122", "source": "mitre_attack", "mitre_id": "S1239", "name": "TONESHELL", "type": "malware"}} | |
| {"text": "RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.", "spans": {"MALWARE: RobbinHood": [[0, 10]]}, "info": {"id": "mitre_mw_0123", "source": "mitre_attack", "mitre_id": "S0400", "name": "RobbinHood", "type": "malware"}} | |
| {"text": "Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.", "spans": {"MALWARE: FunnyDream": [[82, 92]], "MALWARE: Chinoxy": [[0, 7], [188, 195]]}, "info": {"id": "mitre_mw_0124", "source": "mitre_attack", "mitre_id": "S1041", "name": "Chinoxy", "type": "malware"}} | |
| {"text": "Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.", "spans": {"MALWARE: Reaver": [[0, 6]]}, "info": {"id": "mitre_mw_0125", "source": "mitre_attack", "mitre_id": "S0172", "name": "Reaver", "type": "malware"}} | |
| {"text": "ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.", "spans": {"MALWARE: ROKRAT": [[0, 6], [112, 118]], "THREAT_ACTOR: APT37": [[57, 62], [97, 102]]}, "info": {"id": "mitre_mw_0126", "source": "mitre_attack", "mitre_id": "S0240", "name": "ROKRAT", "type": "malware"}} | |
| {"text": "Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.", "spans": {"THREAT_ACTOR: Lotus Blossom": [[58, 71]], "MALWARE: Sagerunex": [[0, 9], [142, 151]]}, "info": {"id": "mitre_mw_0127", "source": "mitre_attack", "mitre_id": "S1210", "name": "Sagerunex", "type": "malware"}} | |
| {"text": "WINDSHIELD is a signature backdoor used by APT32.", "spans": {"MALWARE: WINDSHIELD": [[0, 10]], "THREAT_ACTOR: APT32": [[43, 48]]}, "info": {"id": "mitre_mw_0128", "source": "mitre_attack", "mitre_id": "S0155", "name": "WINDSHIELD", "type": "malware"}} | |
| {"text": "Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.", "spans": {"MALWARE: Machete": [[0, 7], [45, 52]], "SYSTEM: Windows": [[94, 101]], "SYSTEM: Python": [[62, 68]]}, "info": {"id": "mitre_mw_0129", "source": "mitre_attack", "mitre_id": "S0409", "name": "Machete", "type": "malware"}} | |
| {"text": "OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.", "spans": {"MALWARE: OceanSalt": [[0, 9], [111, 120]], "THREAT_ACTOR: APT1": [[187, 191]]}, "info": {"id": "mitre_mw_0130", "source": "mitre_attack", "mitre_id": "S0346", "name": "OceanSalt", "type": "malware"}} | |
| {"text": "Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.", "spans": {"MALWARE: Bonadan": [[0, 7], [75, 82]]}, "info": {"id": "mitre_mw_0131", "source": "mitre_attack", "mitre_id": "S0486", "name": "Bonadan", "type": "malware"}} | |
| {"text": "TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.", "spans": {"MALWARE: TinyTurla": [[0, 9]], "THREAT_ACTOR: Turla": [[46, 51]]}, "info": {"id": "mitre_mw_0132", "source": "mitre_attack", "mitre_id": "S0668", "name": "TinyTurla", "type": "malware"}} | |
| {"text": "Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi.", "spans": {"MALWARE: Daserf": [[0, 6]]}, "info": {"id": "mitre_mw_0133", "source": "mitre_attack", "mitre_id": "S0187", "name": "Daserf", "type": "malware"}} | |
| {"text": "MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.", "spans": {"MALWARE: CosmicDuke": [[227, 237]], "MALWARE: PinchDuke": [[242, 251]], "MALWARE: MiniDuke": [[0, 8], [66, 74], [176, 184]], "THREAT_ACTOR: APT29": [[37, 42]]}, "info": {"id": "mitre_mw_0134", "source": "mitre_attack", "mitre_id": "S0051", "name": "MiniDuke", "type": "malware"}} | |
| {"text": "Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[26, 35]], "MALWARE: Wiarp": [[0, 5]]}, "info": {"id": "mitre_mw_0135", "source": "mitre_attack", "mitre_id": "S0206", "name": "Wiarp", "type": "malware"}} | |
| {"text": "ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.", "spans": {"MALWARE: ServHelper": [[0, 10]]}, "info": {"id": "mitre_mw_0136", "source": "mitre_attack", "mitre_id": "S0382", "name": "ServHelper", "type": "malware"}} | |
| {"text": "Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.", "spans": {"MALWARE: Grandoreiro": [[0, 11], [137, 148]]}, "info": {"id": "mitre_mw_0137", "source": "mitre_attack", "mitre_id": "S0531", "name": "Grandoreiro", "type": "malware"}} | |
| {"text": "pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility.", "spans": {"THREAT_ACTOR: Putter Panda": [[29, 41]], "MALWARE: pngdowner": [[0, 9]]}, "info": {"id": "mitre_mw_0138", "source": "mitre_attack", "mitre_id": "S0067", "name": "pngdowner", "type": "malware"}} | |
| {"text": "HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.", "spans": {"THREAT_ACTOR: Cinnamon Tempest": [[112, 128]], "MALWARE: Cobalt Strike": [[251, 264]], "MALWARE: HUI Loader": [[0, 10], [182, 192]], "MALWARE: SodaMaster": [[232, 242]], "THREAT_ACTOR: menuPass": [[133, 141]], "MALWARE: Komplex": [[266, 273]], "MALWARE: PlugX": [[244, 249]]}, "info": {"id": "mitre_mw_0139", "source": "mitre_attack", "mitre_id": "S1097", "name": "HUI Loader", "type": "malware"}} | |
| {"text": "StealBit is a data exfiltration tool that is developed and maintained by the operators of the the LockBit Ransomware-as-a-Service (RaaS) and offered to affiliates to exfiltrate data from compromised systems for double extortion purposes.", "spans": {"MALWARE: StealBit": [[0, 8]]}, "info": {"id": "mitre_mw_0140", "source": "mitre_attack", "mitre_id": "S1200", "name": "StealBit", "type": "malware"}} | |
| {"text": "Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.", "spans": {"THREAT_ACTOR: Deep Panda": [[43, 53]], "MALWARE: Mivast": [[0, 6]]}, "info": {"id": "mitre_mw_0141", "source": "mitre_attack", "mitre_id": "S0080", "name": "Mivast", "type": "malware"}} | |
| {"text": "Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s.", "spans": {"THREAT_ACTOR: Metador": [[64, 71]], "MALWARE: Mafalda": [[0, 7], [105, 112]]}, "info": {"id": "mitre_mw_0142", "source": "mitre_attack", "mitre_id": "S1060", "name": "Mafalda", "type": "malware"}} | |
| {"text": "ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent.", "spans": {"MALWARE: ISMInjector": [[0, 11]], "THREAT_ACTOR: OilRig": [[48, 54]]}, "info": {"id": "mitre_mw_0143", "source": "mitre_attack", "mitre_id": "S0189", "name": "ISMInjector", "type": "malware"}} | |
| {"text": "GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.", "spans": {"MALWARE: Agent Tesla": [[166, 177]], "MALWARE: GuLoader": [[0, 8]], "MALWARE: NanoCore": [[179, 187]], "MALWARE: NETWIRE": [[157, 164]]}, "info": {"id": "mitre_mw_0144", "source": "mitre_attack", "mitre_id": "S0561", "name": "GuLoader", "type": "malware"}} | |
| {"text": "TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.", "spans": {"THREAT_ACTOR: Lazarus Group": [[92, 105]], "MALWARE: TAINTEDSCRIBE": [[0, 13]]}, "info": {"id": "mitre_mw_0145", "source": "mitre_attack", "mitre_id": "S0586", "name": "TAINTEDSCRIBE", "type": "malware"}} | |
| {"text": "iKitten is a macOS exfiltration agent .", "spans": {"MALWARE: iKitten": [[0, 7]], "SYSTEM: macOS": [[13, 18]]}, "info": {"id": "mitre_mw_0146", "source": "mitre_attack", "mitre_id": "S0278", "name": "iKitten", "type": "malware"}} | |
| {"text": "NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.", "spans": {"THREAT_ACTOR: MoustachedBouncer": [[68, 85]], "MALWARE: NightClub": [[0, 9]]}, "info": {"id": "mitre_mw_0147", "source": "mitre_attack", "mitre_id": "S1090", "name": "NightClub", "type": "malware"}} | |
| {"text": "CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.", "spans": {"MALWARE: CostaBricks": [[0, 11]]}, "info": {"id": "mitre_mw_0148", "source": "mitre_attack", "mitre_id": "S0614", "name": "CostaBricks", "type": "malware"}} | |
| {"text": "BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.", "spans": {"MALWARE: China Chopper": [[35, 48]], "MALWARE: BlackMould": [[0, 10]], "ORGANIZATION: Microsoft": [[69, 78]], "THREAT_ACTOR: GALLIUM": [[160, 167]], "SYSTEM: IIS": [[79, 82]]}, "info": {"id": "mitre_mw_0149", "source": "mitre_attack", "mitre_id": "S0564", "name": "BlackMould", "type": "malware"}} | |
| {"text": "FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.", "spans": {"MALWARE: FlawedAmmyy": [[0, 11], [90, 101]]}, "info": {"id": "mitre_mw_0150", "source": "mitre_attack", "mitre_id": "S0381", "name": "FlawedAmmyy", "type": "malware"}} | |
| {"text": "HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016.", "spans": {"MALWARE: HAPPYWORK": [[0, 9]], "THREAT_ACTOR: APT37": [[34, 39]]}, "info": {"id": "mitre_mw_0151", "source": "mitre_attack", "mitre_id": "S0214", "name": "HAPPYWORK", "type": "malware"}} | |
| {"text": "Qilin ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or VMWare ESXi devices. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware and its RaaS affiliates have been observed targeting multiple sectors worldwide, including healthcare and education in Asia, Europe, and Africa.", "spans": {"MALWARE: Black Basta": [[238, 249]], "MALWARE: BlackCat": [[262, 270]], "SYSTEM: Windows": [[165, 172]], "MALWARE: REvil": [[251, 256]], "MALWARE: Qilin": [[0, 5], [197, 202]]}, "info": {"id": "mitre_mw_0152", "source": "mitre_attack", "mitre_id": "S1242", "name": "Qilin", "type": "malware"}} | |
| {"text": "Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia.", "spans": {"MALWARE: Ixeshe": [[0, 6]]}, "info": {"id": "mitre_mw_0153", "source": "mitre_attack", "mitre_id": "S0015", "name": "Ixeshe", "type": "malware"}} | |
| {"text": "RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.", "spans": {"SYSTEM: Google Drive": [[55, 67]], "MALWARE: RIFLESPINE": [[0, 10]]}, "info": {"id": "mitre_mw_0154", "source": "mitre_attack", "mitre_id": "S1222", "name": "RIFLESPINE", "type": "malware"}} | |
| {"text": "SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.", "spans": {"MALWARE: SPACESHIP": [[0, 9]], "THREAT_ACTOR: APT30": [[34, 39], [113, 118]]}, "info": {"id": "mitre_mw_0155", "source": "mitre_attack", "mitre_id": "S0035", "name": "SPACESHIP", "type": "malware"}} | |
| {"text": "Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software. Medusa Ransomware has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed Medusa Ransomware is used in an opportunistic manner.", "spans": {"MALWARE: Medusa Ransomware": [[0, 17], [68, 85], [199, 216], [427, 444], [553, 570], [676, 693]]}, "info": {"id": "mitre_mw_0156", "source": "mitre_attack", "mitre_id": "S1244", "name": "Medusa Ransomware", "type": "malware"}} | |
| {"text": "FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.", "spans": {"MALWARE: FLASHFLOOD": [[0, 10]], "THREAT_ACTOR: APT30": [[35, 40], [114, 119]]}, "info": {"id": "mitre_mw_0157", "source": "mitre_attack", "mitre_id": "S0036", "name": "FLASHFLOOD", "type": "malware"}} | |
| {"text": "AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.", "spans": {"MALWARE: AvosLocker": [[0, 10], [318, 328]]}, "info": {"id": "mitre_mw_0158", "source": "mitre_attack", "mitre_id": "S1053", "name": "AvosLocker", "type": "malware"}} | |
| {"text": "BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns.", "spans": {"SYSTEM: Visual Basic": [[25, 37]], "MALWARE: BabyShark": [[0, 9]], "ORGANIZATION: Microsoft": [[15, 24]]}, "info": {"id": "mitre_mw_0159", "source": "mitre_attack", "mitre_id": "S0414", "name": "BabyShark", "type": "malware"}} | |
| {"text": "Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.", "spans": {"MALWARE: Agent.btz": [[0, 9]]}, "info": {"id": "mitre_mw_0160", "source": "mitre_attack", "mitre_id": "S0092", "name": "Agent.btz", "type": "malware"}} | |
| {"text": "NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.", "spans": {"THREAT_ACTOR: APT37": [[219, 224]], "MALWARE: NOKKI": [[0, 5], [74, 79], [101, 106], [210, 215]], "MALWARE: KONNI": [[145, 150]]}, "info": {"id": "mitre_mw_0161", "source": "mitre_attack", "mitre_id": "S0353", "name": "NOKKI", "type": "malware"}} | |
| {"text": "ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups.", "spans": {"MALWARE: ShadowPad": [[0, 9]], "THREAT_ACTOR: APT41": [[192, 197]]}, "info": {"id": "mitre_mw_0162", "source": "mitre_attack", "mitre_id": "S0596", "name": "ShadowPad", "type": "malware"}} | |
| {"text": "Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.", "spans": {"MALWARE: Fysbis": [[0, 6]], "THREAT_ACTOR: APT28": [[41, 46]], "SYSTEM: Linux": [[12, 17]]}, "info": {"id": "mitre_mw_0163", "source": "mitre_attack", "mitre_id": "S0410", "name": "Fysbis", "type": "malware"}} | |
| {"text": "Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.", "spans": {"MALWARE: Pysa": [[0, 4]]}, "info": {"id": "mitre_mw_0164", "source": "mitre_attack", "mitre_id": "S0583", "name": "Pysa", "type": "malware"}} | |
| {"text": "CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.", "spans": {"MALWARE: CHIMNEYSWEEP": [[0, 12]], "MALWARE: ROADSWEEP": [[88, 97]]}, "info": {"id": "mitre_mw_0165", "source": "mitre_attack", "mitre_id": "S1149", "name": "CHIMNEYSWEEP", "type": "malware"}} | |
| {"text": "ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.", "spans": {"MALWARE: ANDROMEDA": [[0, 9], [219, 228]]}, "info": {"id": "mitre_mw_0166", "source": "mitre_attack", "mitre_id": "S1074", "name": "ANDROMEDA", "type": "malware"}} | |
| {"text": "Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.", "spans": {"MALWARE: Heyoka Backdoor": [[0, 15]], "THREAT_ACTOR: Aoqin Dragon": [[111, 123]]}, "info": {"id": "mitre_mw_0167", "source": "mitre_attack", "mitre_id": "S1027", "name": "Heyoka Backdoor", "type": "malware"}} | |
| {"text": "FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird.", "spans": {"MALWARE: FinFisher": [[0, 9]], "MALWARE: Wingbird": [[272, 280]]}, "info": {"id": "mitre_mw_0168", "source": "mitre_attack", "mitre_id": "S0182", "name": "FinFisher", "type": "malware"}} | |
| {"text": "Smoke Loader is a malicious bot application that can be used to load other malware.\nSmoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins.", "spans": {"MALWARE: Smoke Loader": [[0, 12], [84, 96]]}, "info": {"id": "mitre_mw_0169", "source": "mitre_attack", "mitre_id": "S0226", "name": "Smoke Loader", "type": "malware"}} | |
| {"text": "Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.", "spans": {"MALWARE: Javali": [[0, 6]]}, "info": {"id": "mitre_mw_0170", "source": "mitre_attack", "mitre_id": "S0528", "name": "Javali", "type": "malware"}} | |
| {"text": "Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. Functionality similar to Skeleton Key is included as a module in Mimikatz.", "spans": {"MALWARE: Skeleton Key": [[0, 12], [155, 167]], "TOOL: Mimikatz": [[195, 203]]}, "info": {"id": "mitre_mw_0171", "source": "mitre_attack", "mitre_id": "S0007", "name": "Skeleton Key", "type": "malware"}} | |
| {"text": "Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.", "spans": {"MALWARE: Linux Rabbit": [[0, 12]], "SYSTEM: Linux": [[38, 43]]}, "info": {"id": "mitre_mw_0172", "source": "mitre_attack", "mitre_id": "S0362", "name": "Linux Rabbit", "type": "malware"}} | |
| {"text": "NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.", "spans": {"MALWARE: NETWIRE": [[0, 7]]}, "info": {"id": "mitre_mw_0173", "source": "mitre_attack", "mitre_id": "S0198", "name": "NETWIRE", "type": "malware"}} | |
| {"text": "GRIFFON is a JavaScript backdoor used by FIN7.", "spans": {"SYSTEM: JavaScript": [[13, 23]], "MALWARE: GRIFFON": [[0, 7]], "THREAT_ACTOR: FIN7": [[41, 45]]}, "info": {"id": "mitre_mw_0174", "source": "mitre_attack", "mitre_id": "S0417", "name": "GRIFFON", "type": "malware"}} | |
| {"text": "KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.", "spans": {"MALWARE: BlackEnergy": [[145, 156]], "MALWARE: KillDisk": [[0, 8], [211, 219], [417, 425]]}, "info": {"id": "mitre_mw_0175", "source": "mitre_attack", "mitre_id": "S0607", "name": "KillDisk", "type": "malware"}} | |
| {"text": "AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.", "spans": {"CVE_ID: CVE-2014-6352": [[164, 177]], "MALWARE: AutoIt backdoor": [[0, 15]], "THREAT_ACTOR: MONSOON": [[80, 87]], "SYSTEM: Windows": [[243, 250]]}, "info": {"id": "mitre_mw_0176", "source": "mitre_attack", "mitre_id": "S0129", "name": "AutoIt backdoor", "type": "malware"}} | |
| {"text": "LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.", "spans": {"MALWARE: LitePower": [[0, 9]], "THREAT_ACTOR: WIRTE": [[73, 78]]}, "info": {"id": "mitre_mw_0177", "source": "mitre_attack", "mitre_id": "S0680", "name": "LitePower", "type": "malware"}} | |
| {"text": "Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines. Stuxnet was discovered in 2010, with some components being used as early as November 2008.", "spans": {"MALWARE: Stuxnet": [[0, 7], [116, 123], [317, 324]], "SYSTEM: Windows": [[268, 275]]}, "info": {"id": "mitre_mw_0178", "source": "mitre_attack", "mitre_id": "S0603", "name": "Stuxnet", "type": "malware"}} | |
| {"text": "gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.", "spans": {"MALWARE: gh0st RAT": [[0, 9]]}, "info": {"id": "mitre_mw_0179", "source": "mitre_attack", "mitre_id": "S0032", "name": "gh0st RAT", "type": "malware"}} | |
| {"text": "KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.", "spans": {"MALWARE: KEYPLUG": [[0, 7]], "SYSTEM: Windows": [[51, 58]], "THREAT_ACTOR: APT41": [[101, 106]], "SYSTEM: Linux": [[63, 68]]}, "info": {"id": "mitre_mw_0180", "source": "mitre_attack", "mitre_id": "S1051", "name": "KEYPLUG", "type": "malware"}} | |
| {"text": "Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.", "spans": {"MALWARE: Royal": [[0, 5], [133, 138], [228, 233], [427, 432]], "MALWARE: Conti": [[437, 442]]}, "info": {"id": "mitre_mw_0181", "source": "mitre_attack", "mitre_id": "S1073", "name": "Royal", "type": "malware"}} | |
| {"text": "WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.", "spans": {"MALWARE: WhisperGate": [[0, 11]]}, "info": {"id": "mitre_mw_0182", "source": "mitre_attack", "mitre_id": "S0689", "name": "WhisperGate", "type": "malware"}} | |
| {"text": "GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.", "spans": {"THREAT_ACTOR: Wizard Spider": [[135, 148]], "MALWARE: GrimAgent": [[0, 9]], "THREAT_ACTOR: FIN6": [[126, 130]], "MALWARE: Ryuk": [[68, 72]]}, "info": {"id": "mitre_mw_0183", "source": "mitre_attack", "mitre_id": "S0632", "name": "GrimAgent", "type": "malware"}} | |
| {"text": "Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.", "spans": {"MALWARE: Unknown Logger": [[0, 14]], "THREAT_ACTOR: MONSOON": [[130, 137]]}, "info": {"id": "mitre_mw_0184", "source": "mitre_attack", "mitre_id": "S0130", "name": "Unknown Logger", "type": "malware"}} | |
| {"text": "Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.", "spans": {"THREAT_ACTOR: Lazarus Group": [[53, 66]], "MALWARE: Dacls": [[0, 5]]}, "info": {"id": "mitre_mw_0185", "source": "mitre_attack", "mitre_id": "S0497", "name": "Dacls", "type": "malware"}} | |
| {"text": "CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website.", "spans": {"MALWARE: CCBkdr": [[0, 6]]}, "info": {"id": "mitre_mw_0186", "source": "mitre_attack", "mitre_id": "S0222", "name": "CCBkdr", "type": "malware"}} | |
| {"text": "Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.", "spans": {"THREAT_ACTOR: Lotus Blossom": [[43, 56]], "MALWARE: Emissary": [[0, 8]], "MALWARE: Elise": [[78, 83]]}, "info": {"id": "mitre_mw_0187", "source": "mitre_attack", "mitre_id": "S0082", "name": "Emissary", "type": "malware"}} | |
| {"text": "Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.", "spans": {"MALWARE: Kessel": [[0, 6], [132, 138]]}, "info": {"id": "mitre_mw_0188", "source": "mitre_attack", "mitre_id": "S0487", "name": "Kessel", "type": "malware"}} | |
| {"text": "SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.", "spans": {"MALWARE: SMOKEDHAM": [[0, 9]], "SYSTEM: .NET": [[32, 36]]}, "info": {"id": "mitre_mw_0189", "source": "mitre_attack", "mitre_id": "S0649", "name": "SMOKEDHAM", "type": "malware"}} | |
| {"text": "reGeorg is an open-source web shell written in Python that can be used as a proxy to bypass firewall rules and tunnel data in and out of targeted networks.", "spans": {"MALWARE: reGeorg": [[0, 7]], "SYSTEM: Python": [[47, 53]]}, "info": {"id": "mitre_mw_0190", "source": "mitre_attack", "mitre_id": "S1187", "name": "reGeorg", "type": "malware"}} | |
| {"text": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.", "spans": {"MALWARE: Egregor": [[272, 279]], "MALWARE: ProLock": [[260, 267]], "MALWARE: QakBot": [[0, 6], [117, 123]]}, "info": {"id": "mitre_mw_0191", "source": "mitre_attack", "mitre_id": "S0650", "name": "QakBot", "type": "malware"}} | |
| {"text": "LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by Turla since at least 2020 including against a European ministry of foreign affairs (MFA). LunarLoader has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.", "spans": {"MALWARE: LunarLoader": [[0, 11], [189, 200]], "MALWARE: LunarMail": [[57, 66]], "MALWARE: LunarWeb": [[44, 52]], "THREAT_ACTOR: Turla": [[99, 104]]}, "info": {"id": "mitre_mw_0192", "source": "mitre_attack", "mitre_id": "S1143", "name": "LunarLoader", "type": "malware"}} | |
| {"text": "xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.", "spans": {"THREAT_ACTOR: IndigoZebra": [[72, 83]], "MALWARE: BoxCaon": [[32, 39]], "MALWARE: xCaon": [[0, 5], [105, 110]], "SYSTEM: HTTP": [[12, 16]]}, "info": {"id": "mitre_mw_0193", "source": "mitre_attack", "mitre_id": "S0653", "name": "xCaon", "type": "malware"}} | |
| {"text": "T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.", "spans": {"MALWARE: T9000": [[0, 5]]}, "info": {"id": "mitre_mw_0194", "source": "mitre_attack", "mitre_id": "S0098", "name": "T9000", "type": "malware"}} | |
| {"text": "DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes an embedded payload.", "spans": {"MALWARE: DUSTPAN": [[0, 7]], "THREAT_ACTOR: APT41": [[57, 62]]}, "info": {"id": "mitre_mw_0195", "source": "mitre_attack", "mitre_id": "S1158", "name": "DUSTPAN", "type": "malware"}} | |
| {"text": "Derusbi is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been observed.", "spans": {"MALWARE: Derusbi": [[0, 7]], "SYSTEM: Windows": [[61, 68]], "SYSTEM: Linux": [[73, 78]]}, "info": {"id": "mitre_mw_0196", "source": "mitre_attack", "mitre_id": "S0021", "name": "Derusbi", "type": "malware"}} | |
| {"text": "Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group.", "spans": {"THREAT_ACTOR: Lazarus Group": [[244, 257]], "MALWARE: Dtrack": [[0, 6], [164, 170]], "TOOL: attrib": [[230, 236]]}, "info": {"id": "mitre_mw_0197", "source": "mitre_attack", "mitre_id": "S0567", "name": "Dtrack", "type": "malware"}} | |
| {"text": "BADCALL is a Trojan malware variant used by the group Lazarus Group.", "spans": {"THREAT_ACTOR: Lazarus Group": [[54, 67]], "MALWARE: BADCALL": [[0, 7]]}, "info": {"id": "mitre_mw_0199", "source": "mitre_attack", "mitre_id": "S0245", "name": "BADCALL", "type": "malware"}} | |
| {"text": "HyperBro is a custom in-memory backdoor used by Threat Group-3390.", "spans": {"THREAT_ACTOR: Threat Group-3390": [[48, 65]], "MALWARE: HyperBro": [[0, 8]]}, "info": {"id": "mitre_mw_0200", "source": "mitre_attack", "mitre_id": "S0398", "name": "HyperBro", "type": "malware"}} | |
| {"text": "DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.", "spans": {"MALWARE: DownPaper": [[0, 9]]}, "info": {"id": "mitre_mw_0201", "source": "mitre_attack", "mitre_id": "S0186", "name": "DownPaper", "type": "malware"}} | |
| {"text": "Naid is a trojan used by Elderwood to open a backdoor on compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[25, 34]], "MALWARE: Naid": [[0, 4]]}, "info": {"id": "mitre_mw_0202", "source": "mitre_attack", "mitre_id": "S0205", "name": "Naid", "type": "malware"}} | |
| {"text": "Mori is a backdoor that has been used by MuddyWater since at least January 2022.", "spans": {"THREAT_ACTOR: MuddyWater": [[41, 51]], "MALWARE: Mori": [[0, 4]]}, "info": {"id": "mitre_mw_0203", "source": "mitre_attack", "mitre_id": "S1047", "name": "Mori", "type": "malware"}} | |
| {"text": "RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.", "spans": {"MALWARE: RegDuke": [[0, 7], [88, 95]], "THREAT_ACTOR: APT29": [[61, 66]], "SYSTEM: .NET": [[44, 48]]}, "info": {"id": "mitre_mw_0204", "source": "mitre_attack", "mitre_id": "S0511", "name": "RegDuke", "type": "malware"}} | |
| {"text": "EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.", "spans": {"MALWARE: EvilBunny": [[0, 9]], "SYSTEM: Lua": [[103, 106]]}, "info": {"id": "mitre_mw_0205", "source": "mitre_attack", "mitre_id": "S0396", "name": "EvilBunny", "type": "malware"}} | |
| {"text": "Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX .", "spans": {"MALWARE: XAgentOSX": [[109, 118]], "MALWARE: Komplex": [[0, 7]], "THREAT_ACTOR: APT28": [[44, 49]]}, "info": {"id": "mitre_mw_0206", "source": "mitre_attack", "mitre_id": "S0162", "name": "Komplex", "type": "malware"}} | |
| {"text": "SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.", "spans": {"SYSTEM: SolarWinds": [[127, 137]], "MALWARE: SUPERNOVA": [[0, 9], [215, 224]], "THREAT_ACTOR: APT29": [[119, 124]], "SYSTEM: .NET": [[47, 51]]}, "info": {"id": "mitre_mw_0207", "source": "mitre_attack", "mitre_id": "S0578", "name": "SUPERNOVA", "type": "malware"}} | |
| {"text": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing.", "spans": {"MALWARE: Volgmer": [[0, 7]]}, "info": {"id": "mitre_mw_0208", "source": "mitre_attack", "mitre_id": "S0180", "name": "Volgmer", "type": "malware"}} | |
| {"text": "IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.", "spans": {"MALWARE: IcedID": [[0, 6], [132, 138]], "MALWARE: Emotet": [[162, 168]]}, "info": {"id": "mitre_mw_0209", "source": "mitre_attack", "mitre_id": "S0483", "name": "IcedID", "type": "malware"}} | |
| {"text": "Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. Cyclops Blink is assessed to be a replacement for VPNFilter, a similar platform targeting network devices.", "spans": {"THREAT_ACTOR: Sandworm Team": [[81, 94]], "MALWARE: Cyclops Blink": [[0, 13], [198, 211]], "MALWARE: VPNFilter": [[248, 257]]}, "info": {"id": "mitre_mw_0210", "source": "mitre_attack", "mitre_id": "S0687", "name": "Cyclops Blink", "type": "malware"}} | |
| {"text": "WINERACK is a backdoor used by APT37.", "spans": {"MALWARE: WINERACK": [[0, 8]], "THREAT_ACTOR: APT37": [[31, 36]]}, "info": {"id": "mitre_mw_0211", "source": "mitre_attack", "mitre_id": "S0219", "name": "WINERACK", "type": "malware"}} | |
| {"text": "SharpStage is a .NET malware with backdoor capabilities.", "spans": {"MALWARE: SharpStage": [[0, 10]], "SYSTEM: .NET": [[16, 20]]}, "info": {"id": "mitre_mw_0212", "source": "mitre_attack", "mitre_id": "S0546", "name": "SharpStage", "type": "malware"}} | |
| {"text": "TYPEFRAME is a remote access tool that has been used by Lazarus Group.", "spans": {"THREAT_ACTOR: Lazarus Group": [[56, 69]], "MALWARE: TYPEFRAME": [[0, 9]]}, "info": {"id": "mitre_mw_0213", "source": "mitre_attack", "mitre_id": "S0263", "name": "TYPEFRAME", "type": "malware"}} | |
| {"text": "STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.", "spans": {"THREAT_ACTOR: Mustang Panda": [[54, 67]], "MALWARE: STATICPLUGIN": [[0, 12], [109, 121], [205, 217], [288, 300]]}, "info": {"id": "mitre_mw_0214", "source": "mitre_attack", "mitre_id": "S1238", "name": "STATICPLUGIN", "type": "malware"}} | |
| {"text": "Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.", "spans": {"MALWARE: Metamorfo": [[0, 9]]}, "info": {"id": "mitre_mw_0215", "source": "mitre_attack", "mitre_id": "S0455", "name": "Metamorfo", "type": "malware"}} | |
| {"text": "CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.", "spans": {"MALWARE: CreepySnail": [[0, 11]], "SYSTEM: PowerShell": [[24, 34]], "THREAT_ACTOR: POLONIUM": [[65, 73]]}, "info": {"id": "mitre_mw_0216", "source": "mitre_attack", "mitre_id": "S1024", "name": "CreepySnail", "type": "malware"}} | |
| {"text": "zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.", "spans": {"MALWARE: zwShell": [[0, 7]]}, "info": {"id": "mitre_mw_0217", "source": "mitre_attack", "mitre_id": "S0350", "name": "zwShell", "type": "malware"}} | |
| {"text": "Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.", "spans": {"THREAT_ACTOR: Lazarus Group": [[67, 80]], "MALWARE: Cryptoistic": [[0, 11]]}, "info": {"id": "mitre_mw_0218", "source": "mitre_attack", "mitre_id": "S0498", "name": "Cryptoistic", "type": "malware"}} | |
| {"text": "PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.", "spans": {"THREAT_ACTOR: Moses Staff": [[85, 96]], "MALWARE: PyDCrypt": [[0, 8]], "SYSTEM: Python": [[31, 37]], "MALWARE: DCSrv": [[58, 63]]}, "info": {"id": "mitre_mw_0219", "source": "mitre_attack", "mitre_id": "S1032", "name": "PyDCrypt", "type": "malware"}} | |
| {"text": "CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.", "spans": {"MALWARE: CallMe": [[0, 6]], "ORGANIZATION: Apple": [[38, 43]]}, "info": {"id": "mitre_mw_0220", "source": "mitre_attack", "mitre_id": "S0077", "name": "CallMe", "type": "malware"}} | |
| {"text": "Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.", "spans": {"MALWARE: Melcoz": [[0, 6], [84, 90]]}, "info": {"id": "mitre_mw_0221", "source": "mitre_attack", "mitre_id": "S0530", "name": "Melcoz", "type": "malware"}} | |
| {"text": "Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity Akira. Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based Megazord for targeting Windows and Akira _v2 for targeting VMware ESXi servers.", "spans": {"MALWARE: Akira _v2": [[545, 554]], "MALWARE: Megazord": [[510, 518]], "SYSTEM: Windows": [[533, 540]], "SYSTEM: VMware": [[569, 575]], "MALWARE: Akira": [[0, 5], [127, 132], [134, 139], [322, 327]]}, "info": {"id": "mitre_mw_0222", "source": "mitre_attack", "mitre_id": "S1129", "name": "Akira", "type": "malware"}} | |
| {"text": "Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[28, 37]], "MALWARE: Vasport": [[0, 7]]}, "info": {"id": "mitre_mw_0223", "source": "mitre_attack", "mitre_id": "S0207", "name": "Vasport", "type": "malware"}} | |
| {"text": "3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.", "spans": {"THREAT_ACTOR: Putter Panda": [[80, 92]], "MALWARE: 3PARA RAT": [[0, 9]]}, "info": {"id": "mitre_mw_0224", "source": "mitre_attack", "mitre_id": "S0066", "name": "3PARA RAT", "type": "malware"}} | |
| {"text": "Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM.", "spans": {"THREAT_ACTOR: PLATINUM": [[79, 87]], "MALWARE: Dipsind": [[0, 7]]}, "info": {"id": "mitre_mw_0225", "source": "mitre_attack", "mitre_id": "S0200", "name": "Dipsind", "type": "malware"}} | |
| {"text": "Proton is a macOS backdoor focusing on data theft and credential access .", "spans": {"MALWARE: Proton": [[0, 6]], "SYSTEM: macOS": [[12, 17]]}, "info": {"id": "mitre_mw_0226", "source": "mitre_attack", "mitre_id": "S0279", "name": "Proton", "type": "malware"}} | |
| {"text": "Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.", "spans": {"THREAT_ACTOR: BlackTech": [[73, 82]], "MALWARE: Flagpro": [[0, 7]], "SYSTEM: Windows": [[13, 20]]}, "info": {"id": "mitre_mw_0227", "source": "mitre_attack", "mitre_id": "S0696", "name": "Flagpro", "type": "malware"}} | |
| {"text": "PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.", "spans": {"MALWARE: PULSECHECK": [[0, 10]], "THREAT_ACTOR: APT5": [[59, 63]], "SYSTEM: Perl": [[37, 41]]}, "info": {"id": "mitre_mw_0228", "source": "mitre_attack", "mitre_id": "S1108", "name": "PULSECHECK", "type": "malware"}} | |
| {"text": "MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012.", "spans": {"MALWARE: MirageFox": [[0, 9]], "SYSTEM: Windows": [[47, 54]], "THREAT_ACTOR: Mirage": [[120, 126]]}, "info": {"id": "mitre_mw_0229", "source": "mitre_attack", "mitre_id": "S0280", "name": "MirageFox", "type": "malware"}} | |
| {"text": "SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.", "spans": {"MALWARE: SUGARUSH": [[0, 8], [108, 116]]}, "info": {"id": "mitre_mw_0230", "source": "mitre_attack", "mitre_id": "S1049", "name": "SUGARUSH", "type": "malware"}} | |
| {"text": "InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities. InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk. InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023. InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.", "spans": {"THREAT_ACTOR: Contagious Interview": [[316, 336]], "THREAT_ACTOR: DeceptiveDevelopment": [[292, 312]], "MALWARE: InvisibleFerret": [[0, 15], [116, 131], [195, 210], [349, 364]], "MALWARE: BeaverTail": [[447, 457]]}, "info": {"id": "mitre_mw_0231", "source": "mitre_attack", "mitre_id": "S1245", "name": "InvisibleFerret", "type": "malware"}} | |
| {"text": "SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.", "spans": {"THREAT_ACTOR: Mustard Tempest": [[267, 282]], "THREAT_ACTOR: Indrik Spider": [[332, 345]], "MALWARE: SocGholish": [[0, 10], [241, 251]], "SYSTEM: JavaScript": [[16, 26]]}, "info": {"id": "mitre_mw_0232", "source": "mitre_attack", "mitre_id": "S1124", "name": "SocGholish", "type": "malware"}} | |
| {"text": "Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.", "spans": {"ORGANIZATION: Federal Security Service": [[106, 130]], "MALWARE: Uroburos": [[0, 8], [227, 235], [381, 389], [557, 565]], "SYSTEM: Windows": [[597, 604]], "THREAT_ACTOR: Turla": [[157, 162]], "SYSTEM: macOS": [[617, 622]], "SYSTEM: Linux": [[606, 611]], "ORGANIZATION: FSB": [[132, 135]]}, "info": {"id": "mitre_mw_0233", "source": "mitre_attack", "mitre_id": "S0022", "name": "Uroburos", "type": "malware"}} | |
| {"text": "UPPERCUT is a backdoor that has been used by menuPass.", "spans": {"THREAT_ACTOR: menuPass": [[45, 53]], "MALWARE: UPPERCUT": [[0, 8]]}, "info": {"id": "mitre_mw_0234", "source": "mitre_attack", "mitre_id": "S0275", "name": "UPPERCUT", "type": "malware"}} | |
| {"text": "Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz.", "spans": {"MALWARE: Power Loader": [[0, 12]], "MALWARE: Carberp": [[108, 115]]}, "info": {"id": "mitre_mw_0235", "source": "mitre_attack", "mitre_id": "S0177", "name": "Power Loader", "type": "malware"}} | |
| {"text": "LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.", "spans": {"SYSTEM: Microsoft Exchange": [[58, 76]], "MALWARE: LightNeuron": [[0, 11], [106, 117], [280, 291]], "THREAT_ACTOR: Turla": [[135, 140]], "SYSTEM: Linux": [[263, 268]]}, "info": {"id": "mitre_mw_0236", "source": "mitre_attack", "mitre_id": "S0395", "name": "LightNeuron", "type": "malware"}} | |
| {"text": "ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.", "spans": {"MALWARE: ADVSTORESHELL": [[0, 13]], "THREAT_ACTOR: APT28": [[57, 62]]}, "info": {"id": "mitre_mw_0237", "source": "mitre_attack", "mitre_id": "S0045", "name": "ADVSTORESHELL", "type": "malware"}} | |
| {"text": "SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.", "spans": {"MALWARE: SDBbot": [[0, 6]], "THREAT_ACTOR: TA505": [[80, 85]]}, "info": {"id": "mitre_mw_0238", "source": "mitre_attack", "mitre_id": "S0461", "name": "SDBbot", "type": "malware"}} | |
| {"text": "TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017.", "spans": {"MALWARE: POWERSOURCE": [[110, 121]], "SYSTEM: PowerShell": [[27, 37]], "MALWARE: TEXTMATE": [[0, 8]]}, "info": {"id": "mitre_mw_0239", "source": "mitre_attack", "mitre_id": "S0146", "name": "TEXTMATE", "type": "malware"}} | |
| {"text": "Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim's network.", "spans": {"MALWARE: Kerrdown": [[0, 8]], "THREAT_ACTOR: APT32": [[54, 59]]}, "info": {"id": "mitre_mw_0240", "source": "mitre_attack", "mitre_id": "S0585", "name": "Kerrdown", "type": "malware"}} | |
| {"text": "A Linux rootkit that provides backdoor access and hides from defenders.", "spans": {"SYSTEM: Linux": [[2, 7]]}, "info": {"id": "mitre_mw_0241", "source": "mitre_attack", "mitre_id": "S0221", "name": "Umbreon", "type": "malware"}} | |
| {"text": "SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.", "spans": {"SYSTEM: SolarWinds Orion": [[67, 83]], "MALWARE: SUNBURST": [[40, 48]], "MALWARE: SUNSPOT": [[0, 7]], "THREAT_ACTOR: APT29": [[126, 131]]}, "info": {"id": "mitre_mw_0242", "source": "mitre_attack", "mitre_id": "S0562", "name": "SUNSPOT", "type": "malware"}} | |
| {"text": "ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.", "spans": {"MALWARE: ECCENTRICBANDWAGON": [[0, 18]]}, "info": {"id": "mitre_mw_0243", "source": "mitre_attack", "mitre_id": "S0593", "name": "ECCENTRICBANDWAGON", "type": "malware"}} | |
| {"text": "ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.", "spans": {"MALWARE: FunnyDream": [[106, 116]], "MALWARE: ccf32": [[0, 5]]}, "info": {"id": "mitre_mw_0244", "source": "mitre_attack", "mitre_id": "S1043", "name": "ccf32", "type": "malware"}} | |
| {"text": "HARDRAIN is a Trojan malware variant reportedly used by the North Korean government.", "spans": {"MALWARE: HARDRAIN": [[0, 8]]}, "info": {"id": "mitre_mw_0245", "source": "mitre_attack", "mitre_id": "S0246", "name": "HARDRAIN", "type": "malware"}} | |
| {"text": "ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.", "spans": {"THREAT_ACTOR: BITTER": [[61, 67]], "MALWARE: ZxxZ": [[0, 4]]}, "info": {"id": "mitre_mw_0246", "source": "mitre_attack", "mitre_id": "S1013", "name": "ZxxZ", "type": "malware"}} | |
| {"text": "VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code.", "spans": {"ORGANIZATION: Microsoft": [[46, 55]], "MALWARE: VERMIN": [[0, 6]], "SYSTEM: .NET": [[56, 60]]}, "info": {"id": "mitre_mw_0247", "source": "mitre_attack", "mitre_id": "S0257", "name": "VERMIN", "type": "malware"}} | |
| {"text": "TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.", "spans": {"MALWARE: TajMahal": [[0, 8], [89, 97]]}, "info": {"id": "mitre_mw_0248", "source": "mitre_attack", "mitre_id": "S0467", "name": "TajMahal", "type": "malware"}} | |
| {"text": "Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.", "spans": {"MALWARE: Gelsevirine": [[101, 112]], "MALWARE: Gelsenicine": [[77, 88]], "MALWARE: Gelsemium": [[0, 9], [185, 194], [216, 225]], "MALWARE: Gelsemine": [[55, 64]], "ORGANIZATION: Microsoft": [[141, 150]]}, "info": {"id": "mitre_mw_0249", "source": "mitre_attack", "mitre_id": "S0666", "name": "Gelsemium", "type": "malware"}} | |
| {"text": "HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.", "spans": {"THREAT_ACTOR: Contagious Interview": [[291, 311]], "MALWARE: HexEval Loader": [[0, 14], [143, 157], [192, 206], [313, 327]], "MALWARE: BeaverTail": [[123, 133]]}, "info": {"id": "mitre_mw_0250", "source": "mitre_attack", "mitre_id": "S1249", "name": "HexEval Loader", "type": "malware"}} | |
| {"text": "Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.", "spans": {"MALWARE: Downdelph": [[0, 9]], "THREAT_ACTOR: APT28": [[78, 83]]}, "info": {"id": "mitre_mw_0251", "source": "mitre_attack", "mitre_id": "S0134", "name": "Downdelph", "type": "malware"}} | |
| {"text": "PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia.", "spans": {"MALWARE: PLAINTEE": [[0, 8]], "THREAT_ACTOR: Rancor": [[51, 57]]}, "info": {"id": "mitre_mw_0252", "source": "mitre_attack", "mitre_id": "S0254", "name": "PLAINTEE", "type": "malware"}} | |
| {"text": "Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016.\nIn July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft.", "spans": {"MALWARE: Azorult": [[0, 7], [89, 96], [159, 166], [243, 250]]}, "info": {"id": "mitre_mw_0253", "source": "mitre_attack", "mitre_id": "S0344", "name": "Azorult", "type": "malware"}} | |
| {"text": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.", "spans": {"MALWARE: Sakula": [[0, 6]]}, "info": {"id": "mitre_mw_0254", "source": "mitre_attack", "mitre_id": "S0074", "name": "Sakula", "type": "malware"}} | |
| {"text": "LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.", "spans": {"THREAT_ACTOR: admin@338": [[27, 36]], "MALWARE: LOWBALL": [[0, 7]]}, "info": {"id": "mitre_mw_0255", "source": "mitre_attack", "mitre_id": "S0042", "name": "LOWBALL", "type": "malware"}} | |
| {"text": "SHOTPUT is a custom backdoor used by APT3.", "spans": {"MALWARE: SHOTPUT": [[0, 7]], "THREAT_ACTOR: APT3": [[37, 41]]}, "info": {"id": "mitre_mw_0256", "source": "mitre_attack", "mitre_id": "S0063", "name": "SHOTPUT", "type": "malware"}} | |
| {"text": "Starloader is a loader component that has been observed loading Felismus and associated tools.", "spans": {"MALWARE: Starloader": [[0, 10]], "MALWARE: Felismus": [[64, 72]]}, "info": {"id": "mitre_mw_0257", "source": "mitre_attack", "mitre_id": "S0188", "name": "Starloader", "type": "malware"}} | |
| {"text": "Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign.", "spans": {"THREAT_ACTOR: NEODYMIUM": [[175, 184]], "MALWARE: FinFisher": [[75, 84]], "MALWARE: Wingbird": [[0, 8]]}, "info": {"id": "mitre_mw_0258", "source": "mitre_attack", "mitre_id": "S0176", "name": "Wingbird", "type": "malware"}} | |
| {"text": "LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.", "spans": {"MALWARE: LockBit 2.0": [[0, 11], [151, 162]], "SYSTEM: Windows": [[197, 204]], "SYSTEM: VMware": [[209, 215]]}, "info": {"id": "mitre_mw_0259", "source": "mitre_attack", "mitre_id": "S1199", "name": "LockBit 2.0", "type": "malware"}} | |
| {"text": "OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.", "spans": {"THREAT_ACTOR: Saint Bear": [[116, 126]], "MALWARE: OutSteel": [[0, 8]]}, "info": {"id": "mitre_mw_0260", "source": "mitre_attack", "mitre_id": "S1017", "name": "OutSteel", "type": "malware"}} | |
| {"text": "Remexi is a Windows-based Trojan that was developed in the C programming language.", "spans": {"SYSTEM: Windows": [[12, 19]], "MALWARE: Remexi": [[0, 6]]}, "info": {"id": "mitre_mw_0261", "source": "mitre_attack", "mitre_id": "S0375", "name": "Remexi", "type": "malware"}} | |
| {"text": "CASTLETAP is an ICMP port knocking backdoor that has been installed on compromised FortiGate firewalls by UNC3886.", "spans": {"MALWARE: CASTLETAP": [[0, 9]], "THREAT_ACTOR: UNC3886": [[106, 113]]}, "info": {"id": "mitre_mw_0262", "source": "mitre_attack", "mitre_id": "S1224", "name": "CASTLETAP", "type": "malware"}} | |
| {"text": "PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.", "spans": {"MALWARE: PlugX": [[0, 5]]}, "info": {"id": "mitre_mw_0263", "source": "mitre_attack", "mitre_id": "S0013", "name": "PlugX", "type": "malware"}} | |
| {"text": "DEADWOOD is wiper malware written in C++ using Boost libraries. DEADWOOD was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into Agrius operations.", "spans": {"MALWARE: DEADWOOD": [[0, 8], [64, 72]], "THREAT_ACTOR: Agrius": [[186, 192]], "TOOL: attrib": [[100, 106]]}, "info": {"id": "mitre_mw_0264", "source": "mitre_attack", "mitre_id": "S1134", "name": "DEADWOOD", "type": "malware"}} | |
| {"text": "BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.", "spans": {"THREAT_ACTOR: Patchwork": [[72, 81]], "MALWARE: BADNEWS": [[0, 7]]}, "info": {"id": "mitre_mw_0265", "source": "mitre_attack", "mitre_id": "S0128", "name": "BADNEWS", "type": "malware"}} | |
| {"text": "AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.", "spans": {"THREAT_ACTOR: Lazarus Group": [[51, 64]], "MALWARE: AuditCred": [[0, 9]]}, "info": {"id": "mitre_mw_0266", "source": "mitre_attack", "mitre_id": "S0347", "name": "AuditCred", "type": "malware"}} | |
| {"text": "POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.", "spans": {"MALWARE: POWERSOURCE": [[0, 11]], "SYSTEM: PowerShell": [[17, 27]], "SYSTEM: DNS": [[118, 121]]}, "info": {"id": "mitre_mw_0267", "source": "mitre_attack", "mitre_id": "S0145", "name": "POWERSOURCE", "type": "malware"}} | |
| {"text": "Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.", "spans": {"MALWARE: IPsec Helper": [[187, 199]], "MALWARE: Apostle": [[0, 7], [100, 107]], "SYSTEM: .NET": [[122, 126]]}, "info": {"id": "mitre_mw_0268", "source": "mitre_attack", "mitre_id": "S1133", "name": "Apostle", "type": "malware"}} | |
| {"text": "WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.", "spans": {"MALWARE: WIREFIRE": [[0, 8], [142, 150]], "SYSTEM: Python": [[35, 41]], "SYSTEM: VPN": [[126, 129]]}, "info": {"id": "mitre_mw_0269", "source": "mitre_attack", "mitre_id": "S1115", "name": "WIREFIRE", "type": "malware"}} | |
| {"text": "PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.", "spans": {"MALWARE: PITSTOP": [[0, 7]]}, "info": {"id": "mitre_mw_0270", "source": "mitre_attack", "mitre_id": "S1123", "name": "PITSTOP", "type": "malware"}} | |
| {"text": "PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.", "spans": {"MALWARE: PingPull": [[0, 8], [119, 127]], "THREAT_ACTOR: GALLIUM": [[85, 92]]}, "info": {"id": "mitre_mw_0271", "source": "mitre_attack", "mitre_id": "S1031", "name": "PingPull", "type": "malware"}} | |
| {"text": "HAMMERTOSS is a backdoor that was used by APT29 in 2015.", "spans": {"MALWARE: HAMMERTOSS": [[0, 10]], "THREAT_ACTOR: APT29": [[42, 47]]}, "info": {"id": "mitre_mw_0272", "source": "mitre_attack", "mitre_id": "S0037", "name": "HAMMERTOSS", "type": "malware"}} | |
| {"text": "Felismus is a modular backdoor that has been used by Sowbug.", "spans": {"MALWARE: Felismus": [[0, 8]], "THREAT_ACTOR: Sowbug": [[53, 59]]}, "info": {"id": "mitre_mw_0273", "source": "mitre_attack", "mitre_id": "S0171", "name": "Felismus", "type": "malware"}} | |
| {"text": "EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns.", "spans": {"SYSTEM: Microsoft Office": [[117, 133]], "THREAT_ACTOR: menuPass": [[94, 102]], "MALWARE: EvilGrab": [[0, 8]]}, "info": {"id": "mitre_mw_0274", "source": "mitre_attack", "mitre_id": "S0152", "name": "EvilGrab", "type": "malware"}} | |
| {"text": "BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.", "spans": {"THREAT_ACTOR: IndigoZebra": [[47, 58]], "MALWARE: BoxCaon": [[0, 7], [129, 136]], "SYSTEM: Windows": [[13, 20]], "MALWARE: xCaon": [[199, 204]]}, "info": {"id": "mitre_mw_0275", "source": "mitre_attack", "mitre_id": "S0651", "name": "BoxCaon", "type": "malware"}} | |
| {"text": "Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable.", "spans": {"SYSTEM: PowerShell": [[84, 94]], "MALWARE: Helminth": [[0, 8]], "SYSTEM: Windows": [[178, 185]]}, "info": {"id": "mitre_mw_0276", "source": "mitre_attack", "mitre_id": "S0170", "name": "Helminth", "type": "malware"}} | |
| {"text": "Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.", "spans": {"SYSTEM: Windows": [[11, 18]], "ORGANIZATION: Google": [[187, 193]], "THREAT_ACTOR: APT32": [[47, 52]], "MALWARE: Goopy": [[0, 5], [132, 137]], "MALWARE: Denis": [[124, 129]]}, "info": {"id": "mitre_mw_0277", "source": "mitre_attack", "mitre_id": "S0477", "name": "Goopy", "type": "malware"}} | |
| {"text": "TAMECAT is a malware that is used by APT42 to execute PowerShell or C# content.", "spans": {"SYSTEM: PowerShell": [[54, 64]], "MALWARE: TAMECAT": [[0, 7]], "THREAT_ACTOR: APT42": [[37, 42]]}, "info": {"id": "mitre_mw_0278", "source": "mitre_attack", "mitre_id": "S1193", "name": "TAMECAT", "type": "malware"}} | |
| {"text": "HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.", "spans": {"MALWARE: HOPLIGHT": [[0, 8]]}, "info": {"id": "mitre_mw_0279", "source": "mitre_attack", "mitre_id": "S0376", "name": "HOPLIGHT", "type": "malware"}} | |
| {"text": "USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.", "spans": {"THREAT_ACTOR: Tropic Trooper": [[65, 79]], "MALWARE: USBferry": [[0, 8], [167, 175]], "MALWARE: YAHOYAH": [[212, 219]]}, "info": {"id": "mitre_mw_0280", "source": "mitre_attack", "mitre_id": "S0452", "name": "USBferry", "type": "malware"}} | |
| {"text": "DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017.", "spans": {"THREAT_ACTOR: Rancor": [[58, 64]], "MALWARE: DDKONG": [[0, 6], [66, 72]]}, "info": {"id": "mitre_mw_0281", "source": "mitre_attack", "mitre_id": "S0255", "name": "DDKONG", "type": "malware"}} | |
| {"text": "OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.", "spans": {"MALWARE: OilBooster": [[0, 10]], "ORGANIZATION: Microsoft": [[38, 47]], "THREAT_ACTOR: OilRig": [[83, 89]]}, "info": {"id": "mitre_mw_0282", "source": "mitre_attack", "mitre_id": "S1172", "name": "OilBooster", "type": "malware"}} | |
| {"text": "AcidPour is a variant of AcidRain designed to impact a wider range of x86 architecture Linux devices. AcidPour is an x86 ELF binary that expands on the targeted devices and locations in AcidRain by including items such as Unsorted Block Image (UBI), Deice Mapper (DM), and various flash memory references. Based on this expanded targeting, AcidPour can impact a variety of device types including IoT, networking, and ICS embedded device types. AcidPour is a wiping payload associated with the Sandworm Team threat actor, and potentially linked to attacks against Ukrainian internet service providers (ISPs) in 2023.", "spans": {"THREAT_ACTOR: Sandworm Team": [[493, 506]], "MALWARE: AcidPour": [[0, 8], [102, 110], [340, 348], [444, 452]], "MALWARE: AcidRain": [[25, 33], [186, 194]], "SYSTEM: Linux": [[87, 92]]}, "info": {"id": "mitre_mw_0283", "source": "mitre_attack", "mitre_id": "S1167", "name": "AcidPour", "type": "malware"}} | |
| {"text": "STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.", "spans": {"MALWARE: STEADYPULSE": [[0, 11]], "SYSTEM: Perl": [[111, 115]], "SYSTEM: VPN": [[62, 65]]}, "info": {"id": "mitre_mw_0284", "source": "mitre_attack", "mitre_id": "S1112", "name": "STEADYPULSE", "type": "malware"}} | |
| {"text": "ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.", "spans": {"MALWARE: ZxShell": [[0, 7]]}, "info": {"id": "mitre_mw_0285", "source": "mitre_attack", "mitre_id": "S0412", "name": "ZxShell", "type": "malware"}} | |
| {"text": "Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.", "spans": {"MALWARE: Green Lambert": [[0, 13], [200, 213]], "SYSTEM: Windows": [[181, 188]], "SYSTEM: macOS": [[253, 258]]}, "info": {"id": "mitre_mw_0286", "source": "mitre_attack", "mitre_id": "S0690", "name": "Green Lambert", "type": "malware"}} | |
| {"text": "Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.", "spans": {"MALWARE: Valak": [[0, 5]]}, "info": {"id": "mitre_mw_0287", "source": "mitre_attack", "mitre_id": "S0476", "name": "Valak", "type": "malware"}} | |
| {"text": "KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing \"KGH\".", "spans": {"THREAT_ACTOR: Kimsuky": [[44, 51]], "MALWARE: KGH_SPY": [[0, 7], [121, 128]]}, "info": {"id": "mitre_mw_0288", "source": "mitre_attack", "mitre_id": "S0526", "name": "KGH_SPY", "type": "malware"}} | |
| {"text": "NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.", "spans": {"MALWARE: NGLite": [[0, 6], [154, 160]]}, "info": {"id": "mitre_mw_0289", "source": "mitre_attack", "mitre_id": "S1106", "name": "NGLite", "type": "malware"}} | |
| {"text": "Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.", "spans": {"THREAT_ACTOR: Ke3chang": [[95, 103]], "SYSTEM: Windows": [[11, 18]], "MALWARE: Okrum": [[0, 5]]}, "info": {"id": "mitre_mw_0290", "source": "mitre_attack", "mitre_id": "S0439", "name": "Okrum", "type": "malware"}} | |
| {"text": "Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.", "spans": {"MALWARE: Industroyer2": [[0, 12], [209, 221], [303, 315]], "MALWARE: Industroyer": [[163, 174]]}, "info": {"id": "mitre_mw_0291", "source": "mitre_attack", "mitre_id": "S1072", "name": "Industroyer2", "type": "malware"}} | |
| {"text": "Gazer is a backdoor used by Turla since at least 2016.", "spans": {"THREAT_ACTOR: Turla": [[28, 33]], "MALWARE: Gazer": [[0, 5]]}, "info": {"id": "mitre_mw_0292", "source": "mitre_attack", "mitre_id": "S0168", "name": "Gazer", "type": "malware"}} | |
| {"text": "SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.", "spans": {"THREAT_ACTOR: Mustang Panda": [[204, 217]], "MALWARE: SplatDropper": [[159, 171]], "MALWARE: SplatCloak": [[0, 10], [127, 137]], "ORGANIZATION: Kaspersky": [[88, 97]], "SYSTEM: Windows": [[67, 74]]}, "info": {"id": "mitre_mw_0293", "source": "mitre_attack", "mitre_id": "S1234", "name": "SplatCloak", "type": "malware"}} | |
| {"text": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.", "spans": {"MALWARE: MoonWind": [[0, 8]]}, "info": {"id": "mitre_mw_0294", "source": "mitre_attack", "mitre_id": "S0149", "name": "MoonWind", "type": "malware"}} | |
| {"text": "HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.", "spans": {"MALWARE: HyperStack": [[0, 10], [70, 80]], "MALWARE: Carbon": [[141, 147]], "THREAT_ACTOR: Turla": [[43, 48], [125, 130]]}, "info": {"id": "mitre_mw_0295", "source": "mitre_attack", "mitre_id": "S0537", "name": "HyperStack", "type": "malware"}} | |
| {"text": "MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021. MacMa shares command and control and unique libraries with MgBot and Nightdoor, indicating a relationship with the Daggerfly threat actor.", "spans": {"THREAT_ACTOR: Daggerfly": [[301, 310]], "MALWARE: Nightdoor": [[255, 264]], "MALWARE: MacMa": [[0, 5], [129, 134], [186, 191]], "MALWARE: MgBot": [[245, 250]], "SYSTEM: macOS": [[11, 16]]}, "info": {"id": "mitre_mw_0296", "source": "mitre_attack", "mitre_id": "S1016", "name": "MacMa", "type": "malware"}} | |
| {"text": "OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network.", "spans": {"MALWARE: OSInfo": [[0, 6]], "THREAT_ACTOR: APT3": [[32, 36]]}, "info": {"id": "mitre_mw_0297", "source": "mitre_attack", "mitre_id": "S0165", "name": "OSInfo", "type": "malware"}} | |
| {"text": "H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.", "spans": {"MALWARE: H1N1": [[0, 4]]}, "info": {"id": "mitre_mw_0298", "source": "mitre_attack", "mitre_id": "S0132", "name": "H1N1", "type": "malware"}} | |
| {"text": "Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language.", "spans": {"THREAT_ACTOR: PROMETHIUM": [[54, 64]], "MALWARE: Truvasys": [[0, 8]]}, "info": {"id": "mitre_mw_0299", "source": "mitre_attack", "mitre_id": "S0178", "name": "Truvasys", "type": "malware"}} | |
| {"text": "Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.", "spans": {"THREAT_ACTOR: Lotus Blossom": [[73, 86]], "MALWARE: Elise": [[0, 5]]}, "info": {"id": "mitre_mw_0300", "source": "mitre_attack", "mitre_id": "S0081", "name": "Elise", "type": "malware"}} | |
| {"text": "Dyre is a banking Trojan that has been used for financial gain.", "spans": {"MALWARE: Dyre": [[0, 4]]}, "info": {"id": "mitre_mw_0301", "source": "mitre_attack", "mitre_id": "S0024", "name": "Dyre", "type": "malware"}} | |
| {"text": "OLDBAIT is a credential harvester used by APT28.", "spans": {"MALWARE: OLDBAIT": [[0, 7]], "THREAT_ACTOR: APT28": [[42, 47]]}, "info": {"id": "mitre_mw_0302", "source": "mitre_attack", "mitre_id": "S0138", "name": "OLDBAIT", "type": "malware"}} | |
| {"text": "Comnie is a remote backdoor which has been used in attacks in East Asia.", "spans": {"MALWARE: Comnie": [[0, 6]]}, "info": {"id": "mitre_mw_0303", "source": "mitre_attack", "mitre_id": "S0244", "name": "Comnie", "type": "malware"}} | |
| {"text": "GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.", "spans": {"MALWARE: GLOOXMAIL": [[0, 9]], "THREAT_ACTOR: APT1": [[29, 33]]}, "info": {"id": "mitre_mw_0304", "source": "mitre_attack", "mitre_id": "S0026", "name": "GLOOXMAIL", "type": "malware"}} | |
| {"text": "LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.", "spans": {"MALWARE: LockerGoga": [[0, 10]]}, "info": {"id": "mitre_mw_0305", "source": "mitre_attack", "mitre_id": "S0372", "name": "LockerGoga", "type": "malware"}} | |
| {"text": "PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.", "spans": {"MALWARE: PowerDuke": [[0, 9]], "ORGANIZATION: Microsoft": [[96, 105]], "THREAT_ACTOR: APT29": [[41, 46]]}, "info": {"id": "mitre_mw_0306", "source": "mitre_attack", "mitre_id": "S0139", "name": "PowerDuke", "type": "malware"}} | |
| {"text": "Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files.", "spans": {"SYSTEM: JavaScript": [[16, 26]], "THREAT_ACTOR: Leviathan": [[44, 53]], "ORGANIZATION: Microsoft": [[139, 148]], "MALWARE: Orz": [[0, 3]]}, "info": {"id": "mitre_mw_0307", "source": "mitre_attack", "mitre_id": "S0229", "name": "Orz", "type": "malware"}} | |
| {"text": "httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.", "spans": {"THREAT_ACTOR: Putter Panda": [[30, 42]], "MALWARE: httpclient": [[0, 10]]}, "info": {"id": "mitre_mw_0308", "source": "mitre_attack", "mitre_id": "S0068", "name": "httpclient", "type": "malware"}} | |
| {"text": "Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.", "spans": {"MALWARE: SOUNDBITE": [[95, 104]], "SYSTEM: Windows": [[11, 18]], "THREAT_ACTOR: APT32": [[47, 52]], "MALWARE: Goopy": [[156, 161]], "MALWARE: Denis": [[0, 5], [54, 59]]}, "info": {"id": "mitre_mw_0309", "source": "mitre_attack", "mitre_id": "S0354", "name": "Denis", "type": "malware"}} | |
| {"text": "P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.", "spans": {"MALWARE: P2P ZeuS": [[0, 8]]}, "info": {"id": "mitre_mw_0310", "source": "mitre_attack", "mitre_id": "S0016", "name": "P2P ZeuS", "type": "malware"}} | |
| {"text": "Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.", "spans": {"MALWARE: Zeus Panda": [[0, 10], [111, 121]], "SYSTEM: Windows": [[276, 283], [315, 322], [334, 341]]}, "info": {"id": "mitre_mw_0311", "source": "mitre_attack", "mitre_id": "S0330", "name": "Zeus Panda", "type": "malware"}} | |
| {"text": "Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.", "spans": {"MALWARE: Olympic Destroyer": [[0, 17], [317, 334]], "THREAT_ACTOR: Sandworm Team": [[46, 59]], "SYSTEM: Windows": [[249, 256]]}, "info": {"id": "mitre_mw_0312", "source": "mitre_attack", "mitre_id": "S0365", "name": "Olympic Destroyer", "type": "malware"}} | |
| {"text": "SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.", "spans": {"MALWARE: SeaDuke": [[0, 7]], "MALWARE: CozyCar": [[154, 161]], "THREAT_ACTOR: APT29": [[36, 41]]}, "info": {"id": "mitre_mw_0313", "source": "mitre_attack", "mitre_id": "S0053", "name": "SeaDuke", "type": "malware"}} | |
| {"text": "HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.", "spans": {"MALWARE: HermeticWizard": [[0, 14]], "MALWARE: HermeticWiper": [[54, 67]]}, "info": {"id": "mitre_mw_0314", "source": "mitre_attack", "mitre_id": "S0698", "name": "HermeticWizard", "type": "malware"}} | |
| {"text": "DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions. DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.", "spans": {"MALWARE: DarkGate": [[0, 8], [174, 182], [199, 207], [300, 308]]}, "info": {"id": "mitre_mw_0315", "source": "mitre_attack", "mitre_id": "S1111", "name": "DarkGate", "type": "malware"}} | |
| {"text": "Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.", "spans": {"MALWARE: Flame": [[0, 5]]}, "info": {"id": "mitre_mw_0316", "source": "mitre_attack", "mitre_id": "S0143", "name": "Flame", "type": "malware"}} | |
| {"text": "SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.", "spans": {"MALWARE: SodaMaster": [[0, 10]], "THREAT_ACTOR: menuPass": [[41, 49]]}, "info": {"id": "mitre_mw_0317", "source": "mitre_attack", "mitre_id": "S0627", "name": "SodaMaster", "type": "malware"}} | |
| {"text": "Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[46, 59]], "MALWARE: Avenger": [[0, 7]]}, "info": {"id": "mitre_mw_0318", "source": "mitre_attack", "mitre_id": "S0473", "name": "Avenger", "type": "malware"}} | |
| {"text": "Hancitor is a downloader that has been used by Pony and other information stealing malware.", "spans": {"MALWARE: Hancitor": [[0, 8]], "MALWARE: Pony": [[47, 51]]}, "info": {"id": "mitre_mw_0319", "source": "mitre_attack", "mitre_id": "S0499", "name": "Hancitor", "type": "malware"}} | |
| {"text": "OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims.", "spans": {"THREAT_ACTOR: OilRig": [[27, 33]], "MALWARE: OopsIE": [[0, 6]]}, "info": {"id": "mitre_mw_0320", "source": "mitre_attack", "mitre_id": "S0264", "name": "OopsIE", "type": "malware"}} | |
| {"text": "LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.", "spans": {"MALWARE: PolyglotDuke": [[117, 129]], "MALWARE: MiniDuke": [[177, 185]], "MALWARE: LiteDuke": [[0, 8], [83, 91]], "THREAT_ACTOR: APT29": [[52, 57]]}, "info": {"id": "mitre_mw_0321", "source": "mitre_attack", "mitre_id": "S0513", "name": "LiteDuke", "type": "malware"}} | |
| {"text": "Exbyte is an exfiltration tool written in Go that is uniquely associated with BlackByte operations. Observed since 2022, Exbyte transfers collected files to online file sharing and hosting services.", "spans": {"THREAT_ACTOR: BlackByte": [[78, 87]], "MALWARE: Exbyte": [[0, 6], [121, 127]]}, "info": {"id": "mitre_mw_0322", "source": "mitre_attack", "mitre_id": "S1179", "name": "Exbyte", "type": "malware"}} | |
| {"text": "adbupd is a backdoor used by PLATINUM that is similar to Dipsind.", "spans": {"THREAT_ACTOR: PLATINUM": [[29, 37]], "MALWARE: Dipsind": [[57, 64]], "MALWARE: adbupd": [[0, 6]]}, "info": {"id": "mitre_mw_0323", "source": "mitre_attack", "mitre_id": "S0202", "name": "adbupd", "type": "malware"}} | |
| {"text": "VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).", "spans": {"MALWARE: VIRTUALPIE": [[0, 10], [192, 202]], "THREAT_ACTOR: UNC3886": [[252, 259]], "SYSTEM: Python": [[48, 54]], "SYSTEM: VMware": [[89, 95]]}, "info": {"id": "mitre_mw_0324", "source": "mitre_attack", "mitre_id": "S1218", "name": "VIRTUALPIE", "type": "malware"}} | |
| {"text": "Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.", "spans": {"MALWARE: Lumma Stealer": [[0, 13], [83, 96]]}, "info": {"id": "mitre_mw_0325", "source": "mitre_attack", "mitre_id": "S1213", "name": "Lumma Stealer", "type": "malware"}} | |
| {"text": "STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.", "spans": {"THREAT_ACTOR: MuddyWater": [[70, 80], [299, 309]], "MALWARE: STARWHALE": [[0, 9], [137, 146], [248, 257]], "SYSTEM: Windows": [[13, 20]]}, "info": {"id": "mitre_mw_0326", "source": "mitre_attack", "mitre_id": "S1037", "name": "STARWHALE", "type": "malware"}} | |
| {"text": "metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.", "spans": {"MALWARE: metaMain": [[0, 8]], "THREAT_ACTOR: Metador": [[31, 38]], "MALWARE: Mafalda": [[126, 133]]}, "info": {"id": "mitre_mw_0327", "source": "mitre_attack", "mitre_id": "S1059", "name": "metaMain", "type": "malware"}} | |
| {"text": "DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit.", "spans": {"MALWARE: DOGCALL": [[0, 7]], "THREAT_ACTOR: APT37": [[30, 35]]}, "info": {"id": "mitre_mw_0328", "source": "mitre_attack", "mitre_id": "S0213", "name": "DOGCALL", "type": "malware"}} | |
| {"text": "Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.", "spans": {"THREAT_ACTOR: Threat Group-3390": [[69, 86]], "MALWARE: Clambling": [[0, 9]]}, "info": {"id": "mitre_mw_0329", "source": "mitre_attack", "mitre_id": "S0660", "name": "Clambling", "type": "malware"}} | |
| {"text": "TinyZBot is a bot written in C# that was developed by Cleaver.", "spans": {"MALWARE: TinyZBot": [[0, 8]], "THREAT_ACTOR: Cleaver": [[54, 61]]}, "info": {"id": "mitre_mw_0330", "source": "mitre_attack", "mitre_id": "S0004", "name": "TinyZBot", "type": "malware"}} | |
| {"text": "QUADAGENT is a PowerShell backdoor used by OilRig.", "spans": {"SYSTEM: PowerShell": [[15, 25]], "MALWARE: QUADAGENT": [[0, 9]], "THREAT_ACTOR: OilRig": [[43, 49]]}, "info": {"id": "mitre_mw_0331", "source": "mitre_attack", "mitre_id": "S0269", "name": "QUADAGENT", "type": "malware"}} | |
| {"text": "RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.", "spans": {"MALWARE: RARSTONE": [[0, 8]], "THREAT_ACTOR: Naikon": [[32, 38]], "MALWARE: PlugX": [[86, 91]]}, "info": {"id": "mitre_mw_0332", "source": "mitre_attack", "mitre_id": "S0055", "name": "RARSTONE", "type": "malware"}} | |
| {"text": "MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat actor in operations. MagicRAT allows for arbitrary command execution on victim machines and provides basic remote access functionality.", "spans": {"THREAT_ACTOR: Lazarus Group": [[78, 91]], "MALWARE: MagicRAT": [[0, 8], [120, 128]]}, "info": {"id": "mitre_mw_0333", "source": "mitre_attack", "mitre_id": "S1182", "name": "MagicRAT", "type": "malware"}} | |
| {"text": "SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.", "spans": {"MALWARE: SQLRat": [[0, 6]], "THREAT_ACTOR: FIN7": [[89, 93]]}, "info": {"id": "mitre_mw_0334", "source": "mitre_attack", "mitre_id": "S0390", "name": "SQLRat", "type": "malware"}} | |
| {"text": "CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.", "spans": {"THREAT_ACTOR: Mustang Panda": [[48, 61]], "MALWARE: CorKLOG": [[0, 7], [103, 110], [226, 233], [254, 261]]}, "info": {"id": "mitre_mw_0335", "source": "mitre_attack", "mitre_id": "S1235", "name": "CorKLOG", "type": "malware"}} | |
| {"text": "LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with LunarLoader and LunarMail. LunarWeb has only been observed deployed against servers and can use Steganography to obfuscate command and control.", "spans": {"MALWARE: LunarLoader": [[159, 170]], "MALWARE: LunarMail": [[175, 184]], "MALWARE: LunarWeb": [[0, 8], [186, 194]], "THREAT_ACTOR: Turla": [[45, 50]]}, "info": {"id": "mitre_mw_0336", "source": "mitre_attack", "mitre_id": "S1141", "name": "LunarWeb", "type": "malware"}} | |
| {"text": "Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.", "spans": {"THREAT_ACTOR: Darkhotel": [[203, 212]], "MALWARE: Ramsay": [[0, 6], [188, 194]]}, "info": {"id": "mitre_mw_0337", "source": "mitre_attack", "mitre_id": "S0458", "name": "Ramsay", "type": "malware"}} | |
| {"text": "Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.", "spans": {"MALWARE: Squirrelwaffle": [[0, 14]], "MALWARE: Cobalt Strike": [[145, 158]], "MALWARE: QakBot": [[167, 173]]}, "info": {"id": "mitre_mw_0338", "source": "mitre_attack", "mitre_id": "S1030", "name": "Squirrelwaffle", "type": "malware"}} | |
| {"text": "Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.", "spans": {"THREAT_ACTOR: HAFNIUM": [[41, 48]], "MALWARE: Tarrask": [[0, 7], [77, 84]]}, "info": {"id": "mitre_mw_0339", "source": "mitre_attack", "mitre_id": "S1011", "name": "Tarrask", "type": "malware"}} | |
| {"text": "Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.", "spans": {"ORGANIZATION: Microsoft": [[54, 63]], "SYSTEM: Windows": [[64, 71]], "SYSTEM: Python": [[209, 215]], "MALWARE: Xbash": [[0, 5], [186, 191]], "SYSTEM: Linux": [[44, 49], [257, 262]]}, "info": {"id": "mitre_mw_0340", "source": "mitre_attack", "mitre_id": "S0341", "name": "Xbash", "type": "malware"}} | |
| {"text": "FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website.", "spans": {"THREAT_ACTOR: Lazarus Group": [[41, 54], [175, 188]], "MALWARE: FALLCHILL": [[0, 9]]}, "info": {"id": "mitre_mw_0341", "source": "mitre_attack", "mitre_id": "S0181", "name": "FALLCHILL", "type": "malware"}} | |
| {"text": "HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA. HotCroissant shares numerous code similarities with Rifdoor.", "spans": {"THREAT_ACTOR: HIDDEN COBRA": [[161, 173]], "MALWARE: HotCroissant": [[0, 12], [175, 187]], "MALWARE: Rifdoor": [[227, 234]], "TOOL: attrib": [[45, 51]]}, "info": {"id": "mitre_mw_0342", "source": "mitre_attack", "mitre_id": "S0431", "name": "HotCroissant", "type": "malware"}} | |
| {"text": "Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.", "spans": {"MALWARE: Carbanak": [[0, 8], [79, 87]]}, "info": {"id": "mitre_mw_0343", "source": "mitre_attack", "mitre_id": "S0030", "name": "Carbanak", "type": "malware"}} | |
| {"text": "DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.", "spans": {"THREAT_ACTOR: Molerats": [[70, 78]], "MALWARE: DustySky": [[0, 8]], "SYSTEM: .NET": [[43, 47]]}, "info": {"id": "mitre_mw_0344", "source": "mitre_attack", "mitre_id": "S0062", "name": "DustySky", "type": "malware"}} | |
| {"text": "WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.", "spans": {"MALWARE: WellMess": [[0, 8]], "THREAT_ACTOR: APT29": [[124, 129]], "SYSTEM: .NET": [[64, 68]]}, "info": {"id": "mitre_mw_0345", "source": "mitre_attack", "mitre_id": "S0514", "name": "WellMess", "type": "malware"}} | |
| {"text": "CORALDECK is an exfiltration tool used by APT37.", "spans": {"MALWARE: CORALDECK": [[0, 9]], "THREAT_ACTOR: APT37": [[42, 47]]}, "info": {"id": "mitre_mw_0346", "source": "mitre_attack", "mitre_id": "S0212", "name": "CORALDECK", "type": "malware"}} | |
| {"text": "XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.", "spans": {"MALWARE: XTunnel": [[0, 7]], "THREAT_ACTOR: APT28": [[148, 153]], "SYSTEM: VPN": [[10, 13]]}, "info": {"id": "mitre_mw_0347", "source": "mitre_attack", "mitre_id": "S0117", "name": "XTunnel", "type": "malware"}} | |
| {"text": "WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.", "spans": {"MALWARE: WARPWIRE": [[0, 8]]}, "info": {"id": "mitre_mw_0348", "source": "mitre_attack", "mitre_id": "S1116", "name": "WARPWIRE", "type": "malware"}} | |
| {"text": "Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usability, security, and fixes for exising reGeorg bugs.", "spans": {"MALWARE: Neo-reGeorg": [[0, 11]], "MALWARE: reGeorg": [[71, 78], [136, 143]]}, "info": {"id": "mitre_mw_0349", "source": "mitre_attack", "mitre_id": "S1189", "name": "Neo-reGeorg", "type": "malware"}} | |
| {"text": "jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.", "spans": {"MALWARE: jRAT": [[0, 4], [101, 105]]}, "info": {"id": "mitre_mw_0350", "source": "mitre_attack", "mitre_id": "S0283", "name": "jRAT", "type": "malware"}} | |
| {"text": "Amadey is a Trojan bot that has been used since at least October 2018.", "spans": {"MALWARE: Amadey": [[0, 6]]}, "info": {"id": "mitre_mw_0351", "source": "mitre_attack", "mitre_id": "S1025", "name": "Amadey", "type": "malware"}} | |
| {"text": "PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.", "spans": {"MALWARE: PowerStallion": [[0, 13]], "SYSTEM: PowerShell": [[31, 41]], "THREAT_ACTOR: Turla": [[59, 64]]}, "info": {"id": "mitre_mw_0352", "source": "mitre_attack", "mitre_id": "S0393", "name": "PowerStallion", "type": "malware"}} | |
| {"text": "Mango is a first-stage backdoor written in C#/.NET that was used by OilRig during the Juicy Mix campaign. Mango is the successor to Solar and includes additional exfiltration capabilities, the use of native APIs, and added detection evasion code.", "spans": {"THREAT_ACTOR: OilRig": [[68, 74]], "MALWARE: Mango": [[0, 5], [106, 111]], "MALWARE: Solar": [[132, 137]], "SYSTEM: .NET": [[46, 50]]}, "info": {"id": "mitre_mw_0353", "source": "mitre_attack", "mitre_id": "S1169", "name": "Mango", "type": "malware"}} | |
| {"text": "DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.", "spans": {"THREAT_ACTOR: Moses Staff": [[51, 62], [141, 152]], "MALWARE: DCSrv": [[0, 5], [101, 106]]}, "info": {"id": "mitre_mw_0354", "source": "mitre_attack", "mitre_id": "S1033", "name": "DCSrv", "type": "malware"}} | |
| {"text": "StrongPity is an information stealing malware used by PROMETHIUM.", "spans": {"THREAT_ACTOR: PROMETHIUM": [[54, 64]], "MALWARE: StrongPity": [[0, 10]]}, "info": {"id": "mitre_mw_0355", "source": "mitre_attack", "mitre_id": "S0491", "name": "StrongPity", "type": "malware"}} | |
| {"text": "BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, BPFDoor is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. BPFDoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.", "spans": {"MALWARE: BPFDoor": [[0, 7], [107, 114], [208, 215]], "SYSTEM: Linux": [[13, 18]]}, "info": {"id": "mitre_mw_0356", "source": "mitre_attack", "mitre_id": "S1161", "name": "BPFDoor", "type": "malware"}} | |
| {"text": "Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.", "spans": {"MALWARE: Lokibot": [[0, 7], [208, 215]]}, "info": {"id": "mitre_mw_0357", "source": "mitre_attack", "mitre_id": "S0447", "name": "Lokibot", "type": "malware"}} | |
| {"text": "DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).", "spans": {"MALWARE: DEADEYE.APPEND": [[212, 226]], "MALWARE: DEADEYE.EMBED": [[162, 175]], "MALWARE: DEADEYE": [[0, 7], [83, 90]], "THREAT_ACTOR: APT41": [[52, 57]]}, "info": {"id": "mitre_mw_0358", "source": "mitre_attack", "mitre_id": "S1052", "name": "DEADEYE", "type": "malware"}} | |
| {"text": "Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).", "spans": {"MALWARE: Dok": [[0, 3]]}, "info": {"id": "mitre_mw_0359", "source": "mitre_attack", "mitre_id": "S0281", "name": "Dok", "type": "malware"}} | |
| {"text": "CrossRAT is a cross platform RAT.", "spans": {"MALWARE: CrossRAT": [[0, 8]]}, "info": {"id": "mitre_mw_0360", "source": "mitre_attack", "mitre_id": "S0235", "name": "CrossRAT", "type": "malware"}} | |
| {"text": "BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013.", "spans": {"MALWARE: BLACKCOFFEE": [[0, 11]]}, "info": {"id": "mitre_mw_0361", "source": "mitre_attack", "mitre_id": "S0069", "name": "BLACKCOFFEE", "type": "malware"}} | |
| {"text": "BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.", "spans": {"MALWARE: BLINDINGCAN": [[0, 11]]}, "info": {"id": "mitre_mw_0362", "source": "mitre_attack", "mitre_id": "S0520", "name": "BLINDINGCAN", "type": "malware"}} | |
| {"text": "SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.", "spans": {"TOOL: CARROTBALL": [[165, 175]], "MALWARE: CARROTBAT": [[180, 189]], "MALWARE: SYSCON": [[0, 6], [132, 138]]}, "info": {"id": "mitre_mw_0363", "source": "mitre_attack", "mitre_id": "S0464", "name": "SYSCON", "type": "malware"}} | |
| {"text": "Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.", "spans": {"SYSTEM: Windows": [[11, 18]], "MALWARE: Attor": [[0, 5], [82, 87]]}, "info": {"id": "mitre_mw_0364", "source": "mitre_attack", "mitre_id": "S0438", "name": "Attor", "type": "malware"}} | |
| {"text": "Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.", "spans": {"MALWARE: Lucifer": [[0, 7]], "SYSTEM: Windows": [[108, 115]]}, "info": {"id": "mitre_mw_0365", "source": "mitre_attack", "mitre_id": "S0532", "name": "Lucifer", "type": "malware"}} | |
| {"text": "HDoor is malware that has been customized and used by the Naikon group.", "spans": {"THREAT_ACTOR: Naikon": [[58, 64]], "MALWARE: HDoor": [[0, 5]]}, "info": {"id": "mitre_mw_0366", "source": "mitre_attack", "mitre_id": "S0061", "name": "HDoor", "type": "malware"}} | |
| {"text": "Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.", "spans": {"THREAT_ACTOR: Lazarus Group": [[92, 105]], "MALWARE: Torisma": [[0, 7], [107, 114]]}, "info": {"id": "mitre_mw_0367", "source": "mitre_attack", "mitre_id": "S0678", "name": "Torisma", "type": "malware"}} | |
| {"text": "SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.", "spans": {"THREAT_ACTOR: MoustachedBouncer": [[62, 79]], "MALWARE: SharpDisco": [[0, 10]]}, "info": {"id": "mitre_mw_0368", "source": "mitre_attack", "mitre_id": "S1089", "name": "SharpDisco", "type": "malware"}} | |
| {"text": "MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least 2012. MgBot was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.", "spans": {"THREAT_ACTOR: Daggerfly": [[65, 74]], "MALWARE: MgBot": [[0, 5], [107, 112]]}, "info": {"id": "mitre_mw_0369", "source": "mitre_attack", "mitre_id": "S1146", "name": "MgBot", "type": "malware"}} | |
| {"text": "BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[42, 55]], "MALWARE: BBK": [[0, 3]]}, "info": {"id": "mitre_mw_0370", "source": "mitre_attack", "mitre_id": "S0470", "name": "BBK", "type": "malware"}} | |
| {"text": "LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.", "spans": {"MALWARE: LookBack": [[0, 8], [174, 182]]}, "info": {"id": "mitre_mw_0371", "source": "mitre_attack", "mitre_id": "S0582", "name": "LookBack", "type": "malware"}} | |
| {"text": "PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.", "spans": {"THREAT_ACTOR: Magic Hound": [[71, 82]], "SYSTEM: PowerShell": [[15, 25]], "MALWARE: PowerLess": [[0, 9]]}, "info": {"id": "mitre_mw_0372", "source": "mitre_attack", "mitre_id": "S1012", "name": "PowerLess", "type": "malware"}} | |
| {"text": "CosmicDuke is malware that was used by APT29 from 2010 to 2015.", "spans": {"MALWARE: CosmicDuke": [[0, 10]], "THREAT_ACTOR: APT29": [[39, 44]]}, "info": {"id": "mitre_mw_0373", "source": "mitre_attack", "mitre_id": "S0050", "name": "CosmicDuke", "type": "malware"}} | |
| {"text": "VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution, file transfer, and starting and stopping processes. VIRTUALPITA has been in use since at least 2022 including by UNC3886 who leveraged malicious vSphere Installation Bundles (VIBs) for install on ESXi hypervisors.", "spans": {"MALWARE: VIRTUALPITA": [[0, 11], [153, 164]], "THREAT_ACTOR: UNC3886": [[214, 221]], "SYSTEM: Linux": [[48, 53]]}, "info": {"id": "mitre_mw_0374", "source": "mitre_attack", "mitre_id": "S1217", "name": "VIRTUALPITA", "type": "malware"}} | |
| {"text": "Cadelspy is a backdoor that has been used by APT39.", "spans": {"MALWARE: Cadelspy": [[0, 8]], "THREAT_ACTOR: APT39": [[45, 50]]}, "info": {"id": "mitre_mw_0375", "source": "mitre_attack", "mitre_id": "S0454", "name": "Cadelspy", "type": "malware"}} | |
| {"text": "Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.", "spans": {"MALWARE: Line Dancer": [[0, 11], [97, 108]], "SYSTEM: Lua": [[29, 32]]}, "info": {"id": "mitre_mw_0376", "source": "mitre_attack", "mitre_id": "S1186", "name": "Line Dancer", "type": "malware"}} | |
| {"text": "AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.", "spans": {"THREAT_ACTOR: Lazarus Group": [[149, 162]], "MALWARE: AppleJeus": [[0, 9], [122, 131], [398, 407]], "MALWARE: FALLCHILL": [[440, 449]]}, "info": {"id": "mitre_mw_0377", "source": "mitre_attack", "mitre_id": "S0584", "name": "AppleJeus", "type": "malware"}} | |
| {"text": "Maze ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.", "spans": {"MALWARE: Maze": [[0, 4], [138, 142]]}, "info": {"id": "mitre_mw_0378", "source": "mitre_attack", "mitre_id": "S0449", "name": "Maze", "type": "malware"}} | |
| {"text": "Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.", "spans": {"THREAT_ACTOR: Volatile Cedar": [[64, 78]], "MALWARE: Explosive": [[0, 9]]}, "info": {"id": "mitre_mw_0379", "source": "mitre_attack", "mitre_id": "S0569", "name": "Explosive", "type": "malware"}} | |
| {"text": "Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.", "spans": {"MALWARE: Winnti for Windows": [[261, 279]], "MALWARE: Winnti for Linux": [[0, 16]], "THREAT_ACTOR: Winnti Group": [[199, 211]], "SYSTEM: Windows": [[217, 224]], "SYSTEM: Linux": [[92, 97]]}, "info": {"id": "mitre_mw_0380", "source": "mitre_attack", "mitre_id": "S0430", "name": "Winnti for Linux", "type": "malware"}} | |
| {"text": "CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used for DLL side-loading known to be leveraged by Mustang Panda and was first observed utilized in 2021.", "spans": {"THREAT_ACTOR: Mustang Panda": [[144, 157]], "MALWARE: CLAIMLOADER": [[0, 11]]}, "info": {"id": "mitre_mw_0381", "source": "mitre_attack", "mitre_id": "S1236", "name": "CLAIMLOADER", "type": "malware"}} | |
| {"text": "XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, XLoader is a Malware as a Service (MaaS) known for stealing data from web browsers, email clients and File Transfer Protocol (FTP) applications.", "spans": {"MALWARE: Formbook": [[114, 122]], "MALWARE: XLoader": [[0, 7], [124, 131]], "SYSTEM: FTP": [[250, 253]]}, "info": {"id": "mitre_mw_0382", "source": "mitre_attack", "mitre_id": "S1207", "name": "XLoader", "type": "malware"}} | |
| {"text": "OilCheck is a C#/.NET downloader that has been used by OilRig since at least 2022 including against targets in Israel. OilCheck uses draft messages created in a shared email account for C2 communication.", "spans": {"MALWARE: OilCheck": [[0, 8], [119, 127]], "THREAT_ACTOR: OilRig": [[55, 61]], "SYSTEM: .NET": [[17, 21]]}, "info": {"id": "mitre_mw_0383", "source": "mitre_attack", "mitre_id": "S1171", "name": "OilCheck", "type": "malware"}} | |
| {"text": "Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.", "spans": {"MALWARE: Duqu": [[0, 4]]}, "info": {"id": "mitre_mw_0384", "source": "mitre_attack", "mitre_id": "S0038", "name": "Duqu", "type": "malware"}} | |
| {"text": "Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.", "spans": {"THREAT_ACTOR: OilRig": [[45, 51]], "MALWARE: Solar": [[0, 5]], "SYSTEM: .NET": [[14, 18]]}, "info": {"id": "mitre_mw_0385", "source": "mitre_attack", "mitre_id": "S1166", "name": "Solar", "type": "malware"}} | |
| {"text": "Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. The group using this malware has also been referred to as Sykipot.", "spans": {"MALWARE: Sykipot": [[0, 7], [142, 149], [240, 247]]}, "info": {"id": "mitre_mw_0386", "source": "mitre_attack", "mitre_id": "S0018", "name": "Sykipot", "type": "malware"}} | |
| {"text": "Catchamas is a Windows Trojan that steals information from compromised systems.", "spans": {"MALWARE: Catchamas": [[0, 9]], "SYSTEM: Windows": [[15, 22]]}, "info": {"id": "mitre_mw_0387", "source": "mitre_attack", "mitre_id": "S0261", "name": "Catchamas", "type": "malware"}} | |
| {"text": "Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.", "spans": {"MALWARE: Clop": [[0, 4], [305, 309]]}, "info": {"id": "mitre_mw_0388", "source": "mitre_attack", "mitre_id": "S0611", "name": "Clop", "type": "malware"}} | |
| {"text": "Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.", "spans": {"MALWARE: Ryuk": [[0, 4], [115, 119]]}, "info": {"id": "mitre_mw_0389", "source": "mitre_attack", "mitre_id": "S0446", "name": "Ryuk", "type": "malware"}} | |
| {"text": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.", "spans": {"THREAT_ACTOR: OilRig": [[62, 68]], "MALWARE: RDAT": [[0, 4], [70, 74]]}, "info": {"id": "mitre_mw_0390", "source": "mitre_attack", "mitre_id": "S0495", "name": "RDAT", "type": "malware"}} | |
| {"text": "macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.", "spans": {"MALWARE: macOS.OSAMiner": [[0, 14], [104, 118], [166, 180]], "ORGANIZATION: Apple": [[217, 222], [320, 325]]}, "info": {"id": "mitre_mw_0391", "source": "mitre_attack", "mitre_id": "S1048", "name": "macOS.OSAMiner", "type": "malware"}} | |
| {"text": "SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017.", "spans": {"MALWARE: SynAck": [[0, 6]]}, "info": {"id": "mitre_mw_0392", "source": "mitre_attack", "mitre_id": "S0242", "name": "SynAck", "type": "malware"}} | |
| {"text": "Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.", "spans": {"MALWARE: Chaes": [[0, 5], [170, 175]]}, "info": {"id": "mitre_mw_0393", "source": "mitre_attack", "mitre_id": "S0631", "name": "Chaes", "type": "malware"}} | |
| {"text": "KARAE is a backdoor typically used by APT37 as first-stage malware.", "spans": {"THREAT_ACTOR: APT37": [[38, 43]], "MALWARE: KARAE": [[0, 5]]}, "info": {"id": "mitre_mw_0394", "source": "mitre_attack", "mitre_id": "S0215", "name": "KARAE", "type": "malware"}} | |
| {"text": "Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework.", "spans": {"ORGANIZATION: Microsoft": [[77, 86]], "MALWARE: Kazuar": [[0, 6]], "SYSTEM: .NET": [[87, 91]]}, "info": {"id": "mitre_mw_0395", "source": "mitre_attack", "mitre_id": "S0265", "name": "Kazuar", "type": "malware"}} | |
| {"text": "BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.", "spans": {"THREAT_ACTOR: Contagious Interview": [[308, 328]], "THREAT_ACTOR: DeceptiveDevelopment": [[284, 304]], "MALWARE: BeaverTail": [[0, 10], [87, 97], [196, 206], [330, 340]], "SYSTEM: JavaScript": [[40, 50]]}, "info": {"id": "mitre_mw_0396", "source": "mitre_attack", "mitre_id": "S1246", "name": "BeaverTail", "type": "malware"}} | |
| {"text": "Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[26, 35]], "MALWARE: Briba": [[0, 5]]}, "info": {"id": "mitre_mw_0397", "source": "mitre_attack", "mitre_id": "S0204", "name": "Briba", "type": "malware"}} | |
| {"text": "SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads.", "spans": {"MALWARE: SampleCheck5000": [[0, 15]], "THREAT_ACTOR: OilRig": [[72, 78]]}, "info": {"id": "mitre_mw_0398", "source": "mitre_attack", "mitre_id": "S1168", "name": "SampleCheck5000", "type": "malware"}} | |
| {"text": "StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.", "spans": {"MALWARE: StoneDrill": [[0, 10]], "THREAT_ACTOR: APT33": [[133, 138]]}, "info": {"id": "mitre_mw_0399", "source": "mitre_attack", "mitre_id": "S0380", "name": "StoneDrill", "type": "malware"}} | |
| {"text": "Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.", "spans": {"MALWARE: Cardinal RAT": [[0, 12], [98, 110]], "ORGANIZATION: Microsoft": [[186, 195]], "SYSTEM: Windows": [[196, 203]]}, "info": {"id": "mitre_mw_0400", "source": "mitre_attack", "mitre_id": "S0348", "name": "Cardinal RAT", "type": "malware"}} | |
| {"text": "NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.", "spans": {"THREAT_ACTOR: Sandworm Team": [[37, 50]], "MALWARE: NotPetya": [[0, 8], [106, 114], [307, 315], [381, 389]]}, "info": {"id": "mitre_mw_0401", "source": "mitre_attack", "mitre_id": "S0368", "name": "NotPetya", "type": "malware"}} | |
| {"text": "RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).", "spans": {"THREAT_ACTOR: Threat Group-3390": [[104, 121]], "THREAT_ACTOR: Mustang Panda": [[83, 96]], "MALWARE: RCSession": [[0, 9]]}, "info": {"id": "mitre_mw_0402", "source": "mitre_attack", "mitre_id": "S0662", "name": "RCSession", "type": "malware"}} | |
| {"text": "RIPTIDE is a proxy-aware backdoor used by APT12.", "spans": {"MALWARE: RIPTIDE": [[0, 7]], "THREAT_ACTOR: APT12": [[42, 47]]}, "info": {"id": "mitre_mw_0403", "source": "mitre_attack", "mitre_id": "S0003", "name": "RIPTIDE", "type": "malware"}} | |
| {"text": "Zox is a remote access tool that has been used by Axiom since at least 2008.", "spans": {"THREAT_ACTOR: Axiom": [[50, 55]], "MALWARE: Zox": [[0, 3]]}, "info": {"id": "mitre_mw_0404", "source": "mitre_attack", "mitre_id": "S0672", "name": "Zox", "type": "malware"}} | |
| {"text": "InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.", "spans": {"THREAT_ACTOR: Gamaredon Group": [[291, 306]], "MALWARE: InvisiMole": [[0, 10], [66, 76], [104, 114], [360, 370]]}, "info": {"id": "mitre_mw_0405", "source": "mitre_attack", "mitre_id": "S0260", "name": "InvisiMole", "type": "malware"}} | |
| {"text": "GoBear is a Go-based backdoor that abuses legitimate, stolen certificates for defense evasion purposes. GoBear is exclusively linked to Kimsuky operations.", "spans": {"THREAT_ACTOR: Kimsuky": [[136, 143]], "MALWARE: GoBear": [[0, 6], [104, 110]]}, "info": {"id": "mitre_mw_0406", "source": "mitre_attack", "mitre_id": "S1197", "name": "GoBear", "type": "malware"}} | |
| {"text": "Netwalker is fileless ransomware written in PowerShell and executed directly in memory.", "spans": {"SYSTEM: PowerShell": [[44, 54]], "MALWARE: Netwalker": [[0, 9]]}, "info": {"id": "mitre_mw_0407", "source": "mitre_attack", "mitre_id": "S0457", "name": "Netwalker", "type": "malware"}} | |
| {"text": "BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.", "spans": {"MALWARE: BackConfig": [[0, 10]], "THREAT_ACTOR: Patchwork": [[88, 97]]}, "info": {"id": "mitre_mw_0408", "source": "mitre_attack", "mitre_id": "S0475", "name": "BackConfig", "type": "malware"}} | |
| {"text": "SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.", "spans": {"THREAT_ACTOR: Threat Group-3390": [[61, 78]], "MALWARE: SysUpdate": [[0, 9]]}, "info": {"id": "mitre_mw_0409", "source": "mitre_attack", "mitre_id": "S0663", "name": "SysUpdate", "type": "malware"}} | |
| {"text": "Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread. In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.", "spans": {"MALWARE: Conficker": [[0, 9], [166, 175]], "ORGANIZATION: Microsoft": [[74, 83]], "SYSTEM: Windows": [[84, 91], [111, 118]]}, "info": {"id": "mitre_mw_0410", "source": "mitre_attack", "mitre_id": "S0608", "name": "Conficker", "type": "malware"}} | |
| {"text": "MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.", "spans": {"MALWARE: MoleNet": [[0, 7]]}, "info": {"id": "mitre_mw_0411", "source": "mitre_attack", "mitre_id": "S0553", "name": "MoleNet", "type": "malware"}} | |
| {"text": "Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.", "spans": {"MALWARE: HTTPBrowser": [[198, 209]], "MALWARE: Pisloader": [[0, 9]], "THREAT_ACTOR: APT18": [[150, 155]], "SYSTEM: DNS": [[64, 67]]}, "info": {"id": "mitre_mw_0412", "source": "mitre_attack", "mitre_id": "S0124", "name": "Pisloader", "type": "malware"}} | |
| {"text": "TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware.", "spans": {"MALWARE: StoneDrill": [[66, 76]], "MALWARE: TURNEDUP": [[0, 8]], "THREAT_ACTOR: APT33": [[58, 63]]}, "info": {"id": "mitre_mw_0413", "source": "mitre_attack", "mitre_id": "S0199", "name": "TURNEDUP", "type": "malware"}} | |
| {"text": "WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.", "spans": {"MALWARE: WannaCry": [[0, 8]]}, "info": {"id": "mitre_mw_0414", "source": "mitre_attack", "mitre_id": "S0366", "name": "WannaCry", "type": "malware"}} | |
| {"text": "EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.", "spans": {"THREAT_ACTOR: Evilnum": [[102, 109]], "MALWARE: EVILNUM": [[0, 7], [69, 76]]}, "info": {"id": "mitre_mw_0415", "source": "mitre_attack", "mitre_id": "S0568", "name": "EVILNUM", "type": "malware"}} | |
| {"text": "NICECURL is a VBScript-based backdoor used by APT42 to download additional modules.", "spans": {"MALWARE: NICECURL": [[0, 8]], "THREAT_ACTOR: APT42": [[46, 51]]}, "info": {"id": "mitre_mw_0416", "source": "mitre_attack", "mitre_id": "S1192", "name": "NICECURL", "type": "malware"}} | |
| {"text": "HTTPBrowser is malware that has been used by several threat groups. It is believed to be of Chinese origin.", "spans": {"MALWARE: HTTPBrowser": [[0, 11]]}, "info": {"id": "mitre_mw_0417", "source": "mitre_attack", "mitre_id": "S0070", "name": "HTTPBrowser", "type": "malware"}} | |
| {"text": "FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims.", "spans": {"MALWARE: FLIPSIDE": [[0, 8]], "THREAT_ACTOR: FIN5": [[59, 63]]}, "info": {"id": "mitre_mw_0418", "source": "mitre_attack", "mitre_id": "S0173", "name": "FLIPSIDE", "type": "malware"}} | |
| {"text": "BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.", "spans": {"MALWARE: BadPatch": [[0, 8]], "SYSTEM: Windows": [[14, 21]]}, "info": {"id": "mitre_mw_0419", "source": "mitre_attack", "mitre_id": "S0337", "name": "BadPatch", "type": "malware"}} | |
| {"text": "ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.", "spans": {"MALWARE: ZeroCleare": [[0, 10]], "TOOL: RawDisk": [[73, 80]]}, "info": {"id": "mitre_mw_0420", "source": "mitre_attack", "mitre_id": "S1151", "name": "ZeroCleare", "type": "malware"}} | |
| {"text": "FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.", "spans": {"SYSTEM: Active Directory": [[125, 141]], "MALWARE: FoggyWeb": [[0, 8]], "THREAT_ACTOR: APT29": [[197, 202]]}, "info": {"id": "mitre_mw_0421", "source": "mitre_attack", "mitre_id": "S0661", "name": "FoggyWeb", "type": "malware"}} | |
| {"text": "Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.", "spans": {"THREAT_ACTOR: Lotus Blossom": [[64, 77]], "MALWARE: Hannotog": [[0, 8]]}, "info": {"id": "mitre_mw_0422", "source": "mitre_attack", "mitre_id": "S1211", "name": "Hannotog", "type": "malware"}} | |
| {"text": "SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.", "spans": {"MALWARE: SYNful Knock": [[0, 12]]}, "info": {"id": "mitre_mw_0423", "source": "mitre_attack", "mitre_id": "S0519", "name": "SYNful Knock", "type": "malware"}} | |
| {"text": "Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.", "spans": {"SYSTEM: GitHub": [[95, 101]], "MALWARE: Havoc": [[0, 5], [213, 218]]}, "info": {"id": "mitre_mw_0424", "source": "mitre_attack", "mitre_id": "S1229", "name": "Havoc", "type": "malware"}} | |
| {"text": "Final1stspy is a dropper family that has been used to deliver DOGCALL.", "spans": {"MALWARE: Final1stspy": [[0, 11]], "MALWARE: DOGCALL": [[62, 69]]}, "info": {"id": "mitre_mw_0425", "source": "mitre_attack", "mitre_id": "S0355", "name": "Final1stspy", "type": "malware"}} | |
| {"text": "TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.", "spans": {"SYSTEM: SolarWinds": [[115, 125]], "MALWARE: TEARDROP": [[0, 8]], "THREAT_ACTOR: APT29": [[160, 165]]}, "info": {"id": "mitre_mw_0426", "source": "mitre_attack", "mitre_id": "S0560", "name": "TEARDROP", "type": "malware"}} | |
| {"text": "Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.", "spans": {"MALWARE: Prikormka": [[0, 9]]}, "info": {"id": "mitre_mw_0427", "source": "mitre_attack", "mitre_id": "S0113", "name": "Prikormka", "type": "malware"}} | |
| {"text": "Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.", "spans": {"MALWARE: Trojan.Mebromi": [[0, 14]]}, "info": {"id": "mitre_mw_0428", "source": "mitre_attack", "mitre_id": "S0001", "name": "Trojan.Mebromi", "type": "malware"}} | |
| {"text": "ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.", "spans": {"THREAT_ACTOR: Threat Group-3390": [[48, 65]], "MALWARE: ASPXTool": [[87, 95]], "MALWARE: ASPXSpy": [[0, 7]]}, "info": {"id": "mitre_mw_0429", "source": "mitre_attack", "mitre_id": "S0073", "name": "ASPXSpy", "type": "malware"}} | |
| {"text": "JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.", "spans": {"MALWARE: JSS Loader": [[0, 10]], "THREAT_ACTOR: FIN7": [[90, 94]], "SYSTEM: .NET": [[46, 50]]}, "info": {"id": "mitre_mw_0430", "source": "mitre_attack", "mitre_id": "S0648", "name": "JSS Loader", "type": "malware"}} | |
| {"text": "QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.", "spans": {"MALWARE: QUIETCANARY": [[0, 11]], "SYSTEM: .NET": [[42, 46]]}, "info": {"id": "mitre_mw_0431", "source": "mitre_attack", "mitre_id": "S1076", "name": "QUIETCANARY", "type": "malware"}} | |
| {"text": "Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets.", "spans": {"MALWARE: Chaos": [[0, 5]], "SYSTEM: Linux": [[9, 14]], "SYSTEM: SSH": [[79, 82]]}, "info": {"id": "mitre_mw_0432", "source": "mitre_attack", "mitre_id": "S0220", "name": "Chaos", "type": "malware"}} | |
| {"text": "Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.", "spans": {"MALWARE: Pillowmint": [[0, 10]], "THREAT_ACTOR: FIN7": [[46, 50]]}, "info": {"id": "mitre_mw_0433", "source": "mitre_attack", "mitre_id": "S0517", "name": "Pillowmint", "type": "malware"}} | |
| {"text": "Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[26, 35]], "MALWARE: Pasam": [[0, 5]]}, "info": {"id": "mitre_mw_0434", "source": "mitre_attack", "mitre_id": "S0208", "name": "Pasam", "type": "malware"}} | |
| {"text": "RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus.", "spans": {"MALWARE: RedLeaves": [[0, 9]], "THREAT_ACTOR: menuPass": [[38, 46]], "MALWARE: PlugX": [[71, 76]]}, "info": {"id": "mitre_mw_0435", "source": "mitre_attack", "mitre_id": "S0153", "name": "RedLeaves", "type": "malware"}} | |
| {"text": "Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.", "spans": {"THREAT_ACTOR: Nomadic Octopus": [[93, 108]], "MALWARE: Octopus": [[0, 7]], "SYSTEM: Windows": [[13, 20]]}, "info": {"id": "mitre_mw_0436", "source": "mitre_attack", "mitre_id": "S0340", "name": "Octopus", "type": "malware"}} | |
| {"text": "DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.", "spans": {"MALWARE: DarkWatchman": [[0, 12]], "SYSTEM: JavaScript": [[30, 40]]}, "info": {"id": "mitre_mw_0437", "source": "mitre_attack", "mitre_id": "S0673", "name": "DarkWatchman", "type": "malware"}} | |
| {"text": "Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.", "spans": {"MALWARE: Babuk": [[0, 5], [107, 112]]}, "info": {"id": "mitre_mw_0438", "source": "mitre_attack", "mitre_id": "S0638", "name": "Babuk", "type": "malware"}} | |
| {"text": "Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.", "spans": {"MALWARE: Avaddon": [[0, 7]]}, "info": {"id": "mitre_mw_0439", "source": "mitre_attack", "mitre_id": "S0640", "name": "Avaddon", "type": "malware"}} | |
| {"text": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", "spans": {"THREAT_ACTOR: Leviathan": [[63, 72]], "MALWARE: NanHaiShu": [[0, 9], [74, 83]]}, "info": {"id": "mitre_mw_0440", "source": "mitre_attack", "mitre_id": "S0228", "name": "NanHaiShu", "type": "malware"}} | |
| {"text": "Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.", "spans": {"MALWARE: TrickBot": [[255, 263]], "MALWARE: Bazar": [[0, 5], [226, 231]]}, "info": {"id": "mitre_mw_0441", "source": "mitre_attack", "mitre_id": "S0534", "name": "Bazar", "type": "malware"}} | |
| {"text": "COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.", "spans": {"CVE_ID: CVE-2022-42475": [[494, 508]], "MALWARE: COATHANGER": [[0, 10], [212, 222], [370, 380], [519, 529]]}, "info": {"id": "mitre_mw_0442", "source": "mitre_attack", "mitre_id": "S1105", "name": "COATHANGER", "type": "malware"}} | |
| {"text": "Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.", "spans": {"THREAT_ACTOR: Ke3chang": [[31, 39]], "MALWARE: Neoichor": [[0, 8]]}, "info": {"id": "mitre_mw_0443", "source": "mitre_attack", "mitre_id": "S0691", "name": "Neoichor", "type": "malware"}} | |
| {"text": "BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.", "spans": {"THREAT_ACTOR: BlackTech": [[257, 266]], "MALWARE: BendyBear": [[0, 9], [135, 144]], "MALWARE: Waterbear": [[179, 188]], "TOOL: attrib": [[209, 215]]}, "info": {"id": "mitre_mw_0444", "source": "mitre_attack", "mitre_id": "S0574", "name": "BendyBear", "type": "malware"}} | |
| {"text": "Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.", "spans": {"MALWARE: Carbon": [[0, 6], [125, 131]], "THREAT_ACTOR: Turla": [[161, 166]]}, "info": {"id": "mitre_mw_0445", "source": "mitre_attack", "mitre_id": "S0335", "name": "Carbon", "type": "malware"}} | |
| {"text": "ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links. Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.", "spans": {"MALWARE: ThiefQuest": [[0, 10], [107, 117], [264, 274]], "SYSTEM: macOS": [[92, 97], [196, 201]]}, "info": {"id": "mitre_mw_0446", "source": "mitre_attack", "mitre_id": "S0595", "name": "ThiefQuest", "type": "malware"}} | |
| {"text": "Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.", "spans": {"MALWARE: Zeroaccess": [[0, 10]]}, "info": {"id": "mitre_mw_0447", "source": "mitre_attack", "mitre_id": "S0027", "name": "Zeroaccess", "type": "malware"}} | |
| {"text": "Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, Manjusaka consists of multiple components, only one of which (a command and control module) is freely available.", "spans": {"MALWARE: Cobalt Strike": [[75, 88]], "MALWARE: Manjusaka": [[0, 9], [219, 228]], "SYSTEM: Windows": [[149, 156]], "TOOL: Sliver": [[64, 70]], "SYSTEM: Linux": [[161, 166]]}, "info": {"id": "mitre_mw_0448", "source": "mitre_attack", "mitre_id": "S1156", "name": "Manjusaka", "type": "malware"}} | |
| {"text": "Epic is a backdoor that has been used by Turla.", "spans": {"THREAT_ACTOR: Turla": [[41, 46]], "MALWARE: Epic": [[0, 4]]}, "info": {"id": "mitre_mw_0449", "source": "mitre_attack", "mitre_id": "S0091", "name": "Epic", "type": "malware"}} | |
| {"text": "MEDUSA is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and logging credentials.", "spans": {"MALWARE: MEDUSA": [[0, 6]]}, "info": {"id": "mitre_mw_0450", "source": "mitre_attack", "mitre_id": "S1220", "name": "MEDUSA", "type": "malware"}} | |
| {"text": "BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.", "spans": {"MALWARE: BlackCat": [[0, 8], [137, 145]]}, "info": {"id": "mitre_mw_0451", "source": "mitre_attack", "mitre_id": "S1068", "name": "BlackCat", "type": "malware"}} | |
| {"text": "GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.", "spans": {"SYSTEM: SolarWinds": [[199, 209]], "MALWARE: GoldMax": [[0, 7], [128, 135], [281, 288]], "SYSTEM: Windows": [[57, 64]], "THREAT_ACTOR: APT29": [[250, 255]], "SYSTEM: Linux": [[69, 74]]}, "info": {"id": "mitre_mw_0452", "source": "mitre_attack", "mitre_id": "S0588", "name": "GoldMax", "type": "malware"}} | |
| {"text": "build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[51, 64]], "MALWARE: build_downer": [[0, 12]]}, "info": {"id": "mitre_mw_0453", "source": "mitre_attack", "mitre_id": "S0471", "name": "build_downer", "type": "malware"}} | |
| {"text": "FELIXROOT is a backdoor that has been used to target Ukrainian victims.", "spans": {"MALWARE: FELIXROOT": [[0, 9]]}, "info": {"id": "mitre_mw_0454", "source": "mitre_attack", "mitre_id": "S0267", "name": "FELIXROOT", "type": "malware"}} | |
| {"text": "ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.", "spans": {"MALWARE: ZIPLINE": [[0, 7]]}, "info": {"id": "mitre_mw_0455", "source": "mitre_attack", "mitre_id": "S1114", "name": "ZIPLINE", "type": "malware"}} | |
| {"text": "JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.", "spans": {"THREAT_ACTOR: Salt Typhoon": [[74, 86]], "MALWARE: JumbledPath": [[0, 11], [151, 162]], "ORGANIZATION: Cisco": [[136, 141]], "SYSTEM: Linux": [[260, 265]]}, "info": {"id": "mitre_mw_0456", "source": "mitre_attack", "mitre_id": "S1206", "name": "JumbledPath", "type": "malware"}} | |
| {"text": "Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.", "spans": {"MALWARE: Woody RAT": [[0, 9]]}, "info": {"id": "mitre_mw_0457", "source": "mitre_attack", "mitre_id": "S1065", "name": "Woody RAT", "type": "malware"}} | |
| {"text": "MOPSLED is a shellcode-based modular backdoor that has been used by China-nexus cyber espionage actors including UNC3886 and APT41.", "spans": {"THREAT_ACTOR: UNC3886": [[113, 120]], "MALWARE: MOPSLED": [[0, 7]], "THREAT_ACTOR: APT41": [[125, 130]]}, "info": {"id": "mitre_mw_0458", "source": "mitre_attack", "mitre_id": "S1221", "name": "MOPSLED", "type": "malware"}} | |
| {"text": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.", "spans": {"MALWARE: Rover": [[0, 5]]}, "info": {"id": "mitre_mw_0459", "source": "mitre_attack", "mitre_id": "S0090", "name": "Rover", "type": "malware"}} | |
| {"text": "BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.", "spans": {"MALWARE: BoomBox": [[0, 7]], "THREAT_ACTOR: APT29": [[94, 99]]}, "info": {"id": "mitre_mw_0460", "source": "mitre_attack", "mitre_id": "S0635", "name": "BoomBox", "type": "malware"}} | |
| {"text": "Nightdoor is a backdoor exclusively associated with Daggerfly operations. Nightdoor uses common libraries with MgBot and MacMa, linking these malware families together.", "spans": {"THREAT_ACTOR: Daggerfly": [[52, 61]], "MALWARE: Nightdoor": [[0, 9], [74, 83]], "MALWARE: MacMa": [[121, 126]], "MALWARE: MgBot": [[111, 116]]}, "info": {"id": "mitre_mw_0461", "source": "mitre_attack", "mitre_id": "S1147", "name": "Nightdoor", "type": "malware"}} | |
| {"text": "StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.", "spans": {"THREAT_ACTOR: Deep Panda": [[51, 61]], "MALWARE: StreamEx": [[0, 8]]}, "info": {"id": "mitre_mw_0462", "source": "mitre_attack", "mitre_id": "S0142", "name": "StreamEx", "type": "malware"}} | |
| {"text": "TDTESS is a 64-bit .NET binary backdoor used by CopyKittens.", "spans": {"THREAT_ACTOR: CopyKittens": [[48, 59]], "MALWARE: TDTESS": [[0, 6]], "SYSTEM: .NET": [[19, 23]]}, "info": {"id": "mitre_mw_0463", "source": "mitre_attack", "mitre_id": "S0164", "name": "TDTESS", "type": "malware"}} | |
| {"text": "Kasidet is a backdoor that has been dropped by using malicious VBA macros.", "spans": {"MALWARE: Kasidet": [[0, 7]]}, "info": {"id": "mitre_mw_0464", "source": "mitre_attack", "mitre_id": "S0088", "name": "Kasidet", "type": "malware"}} | |
| {"text": "SOUNDBITE is a signature backdoor used by APT32.", "spans": {"MALWARE: SOUNDBITE": [[0, 9]], "THREAT_ACTOR: APT32": [[42, 47]]}, "info": {"id": "mitre_mw_0465", "source": "mitre_attack", "mitre_id": "S0157", "name": "SOUNDBITE", "type": "malware"}} | |
| {"text": "JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.", "spans": {"MALWARE: JHUHUGIT": [[0, 8]], "MALWARE: Carberp": [[50, 57]], "THREAT_ACTOR: APT28": [[28, 33]]}, "info": {"id": "mitre_mw_0466", "source": "mitre_attack", "mitre_id": "S0044", "name": "JHUHUGIT", "type": "malware"}} | |
| {"text": "Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.", "spans": {"THREAT_ACTOR: Suckfly": [[51, 58]], "MALWARE: Nidiran": [[0, 7]]}, "info": {"id": "mitre_mw_0467", "source": "mitre_attack", "mitre_id": "S0118", "name": "Nidiran", "type": "malware"}} | |
| {"text": "BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.", "spans": {"MALWARE: BUSHWALK": [[0, 8]], "SYSTEM: Perl": [[35, 39]]}, "info": {"id": "mitre_mw_0468", "source": "mitre_attack", "mitre_id": "S1118", "name": "BUSHWALK", "type": "malware"}} | |
| {"text": "POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.", "spans": {"SYSTEM: PowerShell": [[21, 31]], "MALWARE: POWERTON": [[0, 8]], "THREAT_ACTOR: APT33": [[124, 129]]}, "info": {"id": "mitre_mw_0469", "source": "mitre_attack", "mitre_id": "S0371", "name": "POWERTON", "type": "malware"}} | |
| {"text": "SNUGRIDE is a backdoor that has been used by menuPass as first stage malware.", "spans": {"THREAT_ACTOR: menuPass": [[45, 53]], "MALWARE: SNUGRIDE": [[0, 8]]}, "info": {"id": "mitre_mw_0470", "source": "mitre_attack", "mitre_id": "S0159", "name": "SNUGRIDE", "type": "malware"}} | |
| {"text": "MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.", "spans": {"MALWARE: MultiLayer Wiper": [[0, 16], [105, 121]], "THREAT_ACTOR: Agrius": [[66, 72]], "SYSTEM: .NET": [[45, 49]]}, "info": {"id": "mitre_mw_0471", "source": "mitre_attack", "mitre_id": "S1135", "name": "MultiLayer Wiper", "type": "malware"}} | |
| {"text": "Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.", "spans": {"MALWARE: Exaramel for Windows": [[157, 177]], "MALWARE: Exaramel for Linux": [[0, 18]], "SYSTEM: Windows": [[113, 120]]}, "info": {"id": "mitre_mw_0472", "source": "mitre_attack", "mitre_id": "S0401", "name": "Exaramel for Linux", "type": "malware"}} | |
| {"text": "PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data.", "spans": {"MALWARE: PUNCHTRACK": [[0, 10]], "THREAT_ACTOR: FIN8": [[76, 80]]}, "info": {"id": "mitre_mw_0473", "source": "mitre_attack", "mitre_id": "S0197", "name": "PUNCHTRACK", "type": "malware"}} | |
| {"text": "Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums.", "spans": {"MALWARE: Trojan.Karagany": [[0, 15], [108, 123]], "THREAT_ACTOR: Dragonfly": [[77, 86]]}, "info": {"id": "mitre_mw_0474", "source": "mitre_attack", "mitre_id": "S0094", "name": "Trojan.Karagany", "type": "malware"}} | |
| {"text": "PHOREAL is a signature backdoor used by APT32.", "spans": {"MALWARE: PHOREAL": [[0, 7]], "THREAT_ACTOR: APT32": [[40, 45]]}, "info": {"id": "mitre_mw_0475", "source": "mitre_attack", "mitre_id": "S0158", "name": "PHOREAL", "type": "malware"}} | |
| {"text": "Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. Cuckoo Stealer is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.", "spans": {"MALWARE: Cuckoo Stealer": [[0, 14], [127, 141]], "SYSTEM: macOS": [[20, 25]]}, "info": {"id": "mitre_mw_0476", "source": "mitre_attack", "mitre_id": "S1153", "name": "Cuckoo Stealer", "type": "malware"}} | |
| {"text": "Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with Exaramel for Windows and Prestige malware variants, both of which are linked to Sandworm Team. Kapeka may have been used in advance of Prestige deployment in late 2022.", "spans": {"MALWARE: Exaramel for Windows": [[135, 155]], "THREAT_ACTOR: Sandworm Team": [[215, 228]], "MALWARE: Prestige": [[160, 168], [270, 278]], "MALWARE: Kapeka": [[0, 6], [100, 106], [230, 236]]}, "info": {"id": "mitre_mw_0477", "source": "mitre_attack", "mitre_id": "S1190", "name": "Kapeka", "type": "malware"}} | |
| {"text": "CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.", "spans": {"MALWARE: CARROTBAT": [[0, 9], [76, 85]], "MALWARE: SYSCON": [[111, 117]], "MALWARE: KONNI": [[154, 159]]}, "info": {"id": "mitre_mw_0478", "source": "mitre_attack", "mitre_id": "S0462", "name": "CARROTBAT", "type": "malware"}} | |
| {"text": "Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.", "spans": {"MALWARE: Agent Tesla": [[0, 11]], "SYSTEM: .NET": [[48, 52]]}, "info": {"id": "mitre_mw_0479", "source": "mitre_attack", "mitre_id": "S0331", "name": "Agent Tesla", "type": "malware"}} | |
| {"text": "Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.", "spans": {"MALWARE: Miner-C": [[0, 7]], "SYSTEM: FTP": [[85, 88]]}, "info": {"id": "mitre_mw_0480", "source": "mitre_attack", "mitre_id": "S0133", "name": "Miner-C", "type": "malware"}} | |
| {"text": "ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.", "spans": {"THREAT_ACTOR: APT16": [[93, 98]], "MALWARE: ELMER": [[0, 5]], "SYSTEM: HTTP": [[39, 43]]}, "info": {"id": "mitre_mw_0481", "source": "mitre_attack", "mitre_id": "S0064", "name": "ELMER", "type": "malware"}} | |
| {"text": "Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.", "spans": {"THREAT_ACTOR: Star Blizzard": [[65, 78]], "MALWARE: Spica": [[0, 5]]}, "info": {"id": "mitre_mw_0482", "source": "mitre_attack", "mitre_id": "S1140", "name": "Spica", "type": "malware"}} | |
| {"text": "SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.", "spans": {"MALWARE: SpicyOmelette": [[0, 13]], "THREAT_ACTOR: Cobalt Group": [[77, 89]], "SYSTEM: JavaScript": [[19, 29]]}, "info": {"id": "mitre_mw_0483", "source": "mitre_attack", "mitre_id": "S0646", "name": "SpicyOmelette", "type": "malware"}} | |
| {"text": "Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.", "spans": {"MALWARE: Bundlore": [[0, 8], [109, 117]], "SYSTEM: macOS": [[31, 36]]}, "info": {"id": "mitre_mw_0484", "source": "mitre_attack", "mitre_id": "S0482", "name": "Bundlore", "type": "malware"}} | |
| {"text": "Skidmap is a kernel-mode rootkit used for cryptocurrency mining.", "spans": {"MALWARE: Skidmap": [[0, 7]]}, "info": {"id": "mitre_mw_0485", "source": "mitre_attack", "mitre_id": "S0468", "name": "Skidmap", "type": "malware"}} | |
| {"text": "HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks.", "spans": {"MALWARE: HALFBAKED": [[0, 9]]}, "info": {"id": "mitre_mw_0486", "source": "mitre_attack", "mitre_id": "S0151", "name": "HALFBAKED", "type": "malware"}} | |
| {"text": "SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.", "spans": {"MALWARE: SamSam": [[0, 6]]}, "info": {"id": "mitre_mw_0487", "source": "mitre_attack", "mitre_id": "S0370", "name": "SamSam", "type": "malware"}} | |
| {"text": "BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.", "spans": {"MALWARE: BBSRAT": [[0, 6]]}, "info": {"id": "mitre_mw_0488", "source": "mitre_attack", "mitre_id": "S0127", "name": "BBSRAT", "type": "malware"}} | |
| {"text": "XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan.", "spans": {"MALWARE: CHOPSTICK": [[101, 110]], "MALWARE: XAgentOSX": [[0, 9]], "THREAT_ACTOR: APT28": [[44, 49]]}, "info": {"id": "mitre_mw_0489", "source": "mitre_attack", "mitre_id": "S0161", "name": "XAgentOSX", "type": "malware"}} | |
| {"text": "Akira _v2 is a Rust-based variant of Akira ransomware that has been in use since at least 2024. Akira _v2 is designed to target VMware ESXi servers and includes a new command-line argument set and other expanded capabilities.", "spans": {"MALWARE: Akira _v2": [[0, 9], [96, 105]], "SYSTEM: VMware": [[128, 134]], "MALWARE: Akira": [[37, 42]]}, "info": {"id": "mitre_mw_0490", "source": "mitre_attack", "mitre_id": "S1194", "name": "Akira _v2", "type": "malware"}} | |
| {"text": "RedLine Stealer is an information-stealer malware variant first identified in 2020. RedLine Stealer is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service. Information obtained from RedLine Stealer has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.", "spans": {"MALWARE: RedLine Stealer": [[0, 15], [84, 99], [248, 263]]}, "info": {"id": "mitre_mw_0491", "source": "mitre_attack", "mitre_id": "S1240", "name": "RedLine Stealer", "type": "malware"}} | |
| {"text": "InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016.", "spans": {"MALWARE: InnaputRAT": [[0, 10], [86, 96]]}, "info": {"id": "mitre_mw_0492", "source": "mitre_attack", "mitre_id": "S0259", "name": "InnaputRAT", "type": "malware"}} | |
| {"text": "Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[26, 35]], "MALWARE: Nerex": [[0, 5]]}, "info": {"id": "mitre_mw_0493", "source": "mitre_attack", "mitre_id": "S0210", "name": "Nerex", "type": "malware"}} | |
| {"text": "Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies.", "spans": {"MALWARE: Socksbot": [[0, 8]]}, "info": {"id": "mitre_mw_0494", "source": "mitre_attack", "mitre_id": "S0273", "name": "Socksbot", "type": "malware"}} | |
| {"text": "WinMM is a full-featured, simple backdoor used by Naikon.", "spans": {"THREAT_ACTOR: Naikon": [[50, 56]], "MALWARE: WinMM": [[0, 5]]}, "info": {"id": "mitre_mw_0495", "source": "mitre_attack", "mitre_id": "S0059", "name": "WinMM", "type": "malware"}} | |
| {"text": "Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017.", "spans": {"MALWARE: Astaroth": [[0, 8]]}, "info": {"id": "mitre_mw_0496", "source": "mitre_attack", "mitre_id": "S0373", "name": "Astaroth", "type": "malware"}} | |
| {"text": "Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.", "spans": {"MALWARE: Playcrypt": [[0, 9], [226, 235]], "MALWARE: Play": [[48, 52]]}, "info": {"id": "mitre_mw_0497", "source": "mitre_attack", "mitre_id": "S1162", "name": "Playcrypt", "type": "malware"}} | |
| {"text": "BOOKWORM is a modular trojan known to be leveraged by Mustang Panda and was first observed utilized in 2015. BOOKWORM was later updated in late 2021 and the fall of 2022 to launch shellcode represented as UUID parameters.", "spans": {"THREAT_ACTOR: Mustang Panda": [[54, 67]], "MALWARE: BOOKWORM": [[0, 8], [109, 117]]}, "info": {"id": "mitre_mw_0498", "source": "mitre_attack", "mitre_id": "S1226", "name": "BOOKWORM", "type": "malware"}} | |
| {"text": "ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.", "spans": {"MALWARE: ROCKBOOT": [[0, 8]]}, "info": {"id": "mitre_mw_0499", "source": "mitre_attack", "mitre_id": "S0112", "name": "ROCKBOOT", "type": "malware"}} | |
| {"text": "HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.", "spans": {"MALWARE: DEATHRANSOM": [[100, 111]], "MALWARE: HELLOKITTY": [[0, 10], [127, 137]], "MALWARE: FIVEHANDS": [[116, 125]]}, "info": {"id": "mitre_mw_0500", "source": "mitre_attack", "mitre_id": "S0617", "name": "HELLOKITTY", "type": "malware"}} | |
| {"text": "Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021.", "spans": {"MALWARE: Seth-Locker": [[0, 11]]}, "info": {"id": "mitre_mw_0501", "source": "mitre_attack", "mitre_id": "S0639", "name": "Seth-Locker", "type": "malware"}} | |
| {"text": "FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.", "spans": {"MALWARE: FRAMESTING": [[0, 10]], "SYSTEM: Python": [[16, 22], [106, 112]]}, "info": {"id": "mitre_mw_0502", "source": "mitre_attack", "mitre_id": "S1120", "name": "FRAMESTING", "type": "malware"}} | |
| {"text": "POORAIM is a backdoor used by APT37 in campaigns since at least 2014.", "spans": {"MALWARE: POORAIM": [[0, 7]], "THREAT_ACTOR: APT37": [[30, 35]]}, "info": {"id": "mitre_mw_0503", "source": "mitre_attack", "mitre_id": "S0216", "name": "POORAIM", "type": "malware"}} | |
| {"text": "POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.", "spans": {"SYSTEM: PowerShell": [[14, 24]], "MALWARE: POWRUNER": [[0, 8]]}, "info": {"id": "mitre_mw_0504", "source": "mitre_attack", "mitre_id": "S0184", "name": "POWRUNER", "type": "malware"}} | |
| {"text": "NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.", "spans": {"MALWARE: Cobalt Strike": [[63, 76]], "MALWARE: NativeZone": [[0, 10]], "THREAT_ACTOR: APT29": [[93, 98]]}, "info": {"id": "mitre_mw_0505", "source": "mitre_attack", "mitre_id": "S0637", "name": "NativeZone", "type": "malware"}} | |
| {"text": "Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.", "spans": {"THREAT_ACTOR: MoustachedBouncer": [[48, 65]], "MALWARE: Disco": [[0, 5]]}, "info": {"id": "mitre_mw_0506", "source": "mitre_attack", "mitre_id": "S1088", "name": "Disco", "type": "malware"}} | |
| {"text": "YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.", "spans": {"THREAT_ACTOR: Tropic Trooper": [[28, 42]], "MALWARE: YAHOYAH": [[0, 7]]}, "info": {"id": "mitre_mw_0507", "source": "mitre_attack", "mitre_id": "S0388", "name": "YAHOYAH", "type": "malware"}} | |
| {"text": "Cherry Picker is a point of sale (PoS) memory scraper.", "spans": {"MALWARE: Cherry Picker": [[0, 13]]}, "info": {"id": "mitre_mw_0508", "source": "mitre_attack", "mitre_id": "S0107", "name": "Cherry Picker", "type": "malware"}} | |
| {"text": "Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.", "spans": {"THREAT_ACTOR: Transparent Tribe": [[56, 73]], "MALWARE: Crimson": [[0, 7]]}, "info": {"id": "mitre_mw_0509", "source": "mitre_attack", "mitre_id": "S0115", "name": "Crimson", "type": "malware"}} | |
| {"text": "Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.", "spans": {"MALWARE: Sakula": [[73, 79]], "MALWARE: Hi-Zor": [[0, 6]]}, "info": {"id": "mitre_mw_0510", "source": "mitre_attack", "mitre_id": "S0087", "name": "Hi-Zor", "type": "malware"}} | |
| {"text": "REPTILE is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.", "spans": {"MALWARE: REPTILE": [[0, 7]], "SYSTEM: Linux": [[26, 31]]}, "info": {"id": "mitre_mw_0511", "source": "mitre_attack", "mitre_id": "S1219", "name": "REPTILE", "type": "malware"}} | |
| {"text": "Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.", "spans": {"THREAT_ACTOR: BlackTech": [[43, 52]], "MALWARE: Waterbear": [[0, 9]], "TOOL: attrib": [[29, 35]]}, "info": {"id": "mitre_mw_0512", "source": "mitre_attack", "mitre_id": "S0579", "name": "Waterbear", "type": "malware"}} | |
| {"text": "EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.", "spans": {"MALWARE: MegaCortex": [[444, 454]], "MALWARE: EKANS": [[0, 5], [260, 265]]}, "info": {"id": "mitre_mw_0513", "source": "mitre_attack", "mitre_id": "S0605", "name": "EKANS", "type": "malware"}} | |
| {"text": "PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.", "spans": {"MALWARE: PS1": [[0, 3]]}, "info": {"id": "mitre_mw_0514", "source": "mitre_attack", "mitre_id": "S0613", "name": "PS1", "type": "malware"}} | |
| {"text": "njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.", "spans": {"MALWARE: njRAT": [[0, 5]]}, "info": {"id": "mitre_mw_0515", "source": "mitre_attack", "mitre_id": "S0385", "name": "njRAT", "type": "malware"}} | |
| {"text": "BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.", "spans": {"MALWARE: BOOSTWRITE": [[0, 10]], "THREAT_ACTOR: FIN7": [[104, 108]]}, "info": {"id": "mitre_mw_0516", "source": "mitre_attack", "mitre_id": "S0415", "name": "BOOSTWRITE", "type": "malware"}} | |
| {"text": "CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.", "spans": {"MALWARE: CoinTicker": [[0, 10]]}, "info": {"id": "mitre_mw_0517", "source": "mitre_attack", "mitre_id": "S0369", "name": "CoinTicker", "type": "malware"}} | |
| {"text": "Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.", "spans": {"THREAT_ACTOR: Sandworm Team": [[37, 50]], "MALWARE: Prestige": [[0, 8]]}, "info": {"id": "mitre_mw_0518", "source": "mitre_attack", "mitre_id": "S1058", "name": "Prestige", "type": "malware"}} | |
| {"text": "CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.", "spans": {"MALWARE: CookieMiner": [[0, 11]]}, "info": {"id": "mitre_mw_0519", "source": "mitre_attack", "mitre_id": "S0492", "name": "CookieMiner", "type": "malware"}} | |
| {"text": "BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.", "spans": {"MALWARE: BLUELIGHT": [[0, 9]], "THREAT_ACTOR: APT37": [[44, 49]]}, "info": {"id": "mitre_mw_0520", "source": "mitre_attack", "mitre_id": "S0657", "name": "BLUELIGHT", "type": "malware"}} | |
| {"text": "Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.", "spans": {"MALWARE: Egregor": [[0, 7], [141, 148]], "MALWARE: Maze": [[184, 188]]}, "info": {"id": "mitre_mw_0521", "source": "mitre_attack", "mitre_id": "S0554", "name": "Egregor", "type": "malware"}} | |
| {"text": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.", "spans": {"MALWARE: PoisonIvy": [[0, 9]]}, "info": {"id": "mitre_mw_0522", "source": "mitre_attack", "mitre_id": "S0012", "name": "PoisonIvy", "type": "malware"}} | |
| {"text": "Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.", "spans": {"THREAT_ACTOR: BackdoorDiplomacy": [[43, 60]], "MALWARE: Turian": [[0, 6], [215, 221]]}, "info": {"id": "mitre_mw_0523", "source": "mitre_attack", "mitre_id": "S0647", "name": "Turian", "type": "malware"}} | |
| {"text": "Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee. The DLL componenet in the Raspberry Robin infection chain is also referred to as \"Roshtyak.\" The name \"Raspberry Robin\" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.", "spans": {"MALWARE: Raspberry Robin": [[0, 15], [276, 291], [515, 530], [592, 607], [712, 727]], "MALWARE: Cobalt Strike": [[451, 464]], "MALWARE: SocGholish": [[439, 449]], "MALWARE: Bumblebee": [[478, 487]], "MALWARE: IcedID": [[466, 472]]}, "info": {"id": "mitre_mw_0524", "source": "mitre_attack", "mitre_id": "S1130", "name": "Raspberry Robin", "type": "malware"}} | |
| {"text": "CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.", "spans": {"MALWARE: CaddyWiper": [[0, 10]]}, "info": {"id": "mitre_mw_0525", "source": "mitre_attack", "mitre_id": "S0693", "name": "CaddyWiper", "type": "malware"}} | |
| {"text": "SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.", "spans": {"MALWARE: SideTwist": [[0, 9]], "THREAT_ACTOR: OilRig": [[54, 60]]}, "info": {"id": "mitre_mw_0526", "source": "mitre_attack", "mitre_id": "S0610", "name": "SideTwist", "type": "malware"}} | |
| {"text": "Gomir is a Linux backdoor variant of the Go-based malware GoBear, uniquely assoicated with Kimsuky operations.", "spans": {"THREAT_ACTOR: Kimsuky": [[91, 98]], "MALWARE: GoBear": [[58, 64]], "MALWARE: Gomir": [[0, 5]], "SYSTEM: Linux": [[11, 16]]}, "info": {"id": "mitre_mw_0527", "source": "mitre_attack", "mitre_id": "S1198", "name": "Gomir", "type": "malware"}} | |
| {"text": "SEASHARPEE is a Web shell that has been used by OilRig.", "spans": {"MALWARE: SEASHARPEE": [[0, 10]], "THREAT_ACTOR: OilRig": [[48, 54]]}, "info": {"id": "mitre_mw_0528", "source": "mitre_attack", "mitre_id": "S0185", "name": "SEASHARPEE", "type": "malware"}} | |
| {"text": "Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, Cobalt Strike, REvil, and others. Gootloader operates on an \"Initial Access as a Service\" model and has leveraged SEO Poisoning to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.", "spans": {"MALWARE: Cobalt Strike": [[145, 158]], "MALWARE: Gootloader": [[0, 10], [179, 189]], "MALWARE: REvil": [[160, 165]]}, "info": {"id": "mitre_mw_0529", "source": "mitre_attack", "mitre_id": "S1138", "name": "Gootloader", "type": "malware"}} | |
| {"text": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. VPNFilter was assessed to be replaced by Sandworm Team with Cyclops Blink starting in 2019.", "spans": {"THREAT_ACTOR: Sandworm Team": [[391, 404]], "MALWARE: Cyclops Blink": [[410, 423]], "MALWARE: VPNFilter": [[0, 9], [154, 163], [350, 359]]}, "info": {"id": "mitre_mw_0530", "source": "mitre_attack", "mitre_id": "S1010", "name": "VPNFilter", "type": "malware"}} | |
| {"text": "MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.", "spans": {"MALWARE: MechaFlounder": [[0, 13]], "THREAT_ACTOR: APT39": [[79, 84]]}, "info": {"id": "mitre_mw_0531", "source": "mitre_attack", "mitre_id": "S0459", "name": "MechaFlounder", "type": "malware"}} | |
| {"text": "Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023. Pikabot is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. Pikabot has some overlaps with QakBot, but insufficient evidence exists to definitively link these two malware families. Pikabot is frequently used to deploy follow on tools such as Cobalt Strike or ransomware variants.", "spans": {"MALWARE: Cobalt Strike": [[423, 436]], "MALWARE: Pikabot": [[0, 7], [101, 108], [241, 248], [362, 369]], "MALWARE: QakBot": [[272, 278]]}, "info": {"id": "mitre_mw_0532", "source": "mitre_attack", "mitre_id": "S1145", "name": "Pikabot", "type": "malware"}} | |
| {"text": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management.", "spans": {"MALWARE: KOMPROGO": [[0, 8]], "THREAT_ACTOR: APT32": [[41, 46]]}, "info": {"id": "mitre_mw_0533", "source": "mitre_attack", "mitre_id": "S0156", "name": "KOMPROGO", "type": "malware"}} | |
| {"text": "NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.", "spans": {"MALWARE: NKAbuse": [[0, 7]]}, "info": {"id": "mitre_mw_0534", "source": "mitre_attack", "mitre_id": "S1107", "name": "NKAbuse", "type": "malware"}} | |
| {"text": "SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.", "spans": {"MALWARE: SoreFang": [[0, 8]], "THREAT_ACTOR: APT29": [[43, 48]]}, "info": {"id": "mitre_mw_0535", "source": "mitre_attack", "mitre_id": "S0516", "name": "SoreFang", "type": "malware"}} | |
| {"text": "TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.", "spans": {"MALWARE: TINYTYPHON": [[0, 10]], "THREAT_ACTOR: MONSOON": [[78, 85]]}, "info": {"id": "mitre_mw_0536", "source": "mitre_attack", "mitre_id": "S0131", "name": "TINYTYPHON", "type": "malware"}} | |
| {"text": "Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links. Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.", "spans": {"MALWARE: Ursnif": [[0, 6], [169, 175]]}, "info": {"id": "mitre_mw_0537", "source": "mitre_attack", "mitre_id": "S0386", "name": "Ursnif", "type": "malware"}} | |
| {"text": "Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.", "spans": {"MALWARE: TrickBot": [[112, 120]], "MALWARE: Conti": [[0, 5], [84, 89], [267, 272]]}, "info": {"id": "mitre_mw_0538", "source": "mitre_attack", "mitre_id": "S0575", "name": "Conti", "type": "malware"}} | |
| {"text": "ZeroT is a Trojan used by TA459, often in conjunction with PlugX.", "spans": {"THREAT_ACTOR: TA459": [[26, 31]], "MALWARE: PlugX": [[59, 64]], "MALWARE: ZeroT": [[0, 5]]}, "info": {"id": "mitre_mw_0539", "source": "mitre_attack", "mitre_id": "S0230", "name": "ZeroT", "type": "malware"}} | |
| {"text": "Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.", "spans": {"MALWARE: Misdat": [[0, 6]]}, "info": {"id": "mitre_mw_0540", "source": "mitre_attack", "mitre_id": "S0083", "name": "Misdat", "type": "malware"}} | |
| {"text": "SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.", "spans": {"MALWARE: SVCReady": [[0, 8], [163, 171]], "THREAT_ACTOR: TA551": [[144, 149]]}, "info": {"id": "mitre_mw_0541", "source": "mitre_attack", "mitre_id": "S1064", "name": "SVCReady", "type": "malware"}} | |
| {"text": "DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components.", "spans": {"MALWARE: DUSTTRAP": [[0, 8]], "THREAT_ACTOR: APT41": [[59, 64]]}, "info": {"id": "mitre_mw_0542", "source": "mitre_attack", "mitre_id": "S1159", "name": "DUSTTRAP", "type": "malware"}} | |
| {"text": "ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.", "spans": {"MALWARE: ShrinkLocker": [[0, 12], [144, 156]]}, "info": {"id": "mitre_mw_0543", "source": "mitre_attack", "mitre_id": "S1178", "name": "ShrinkLocker", "type": "malware"}} | |
| {"text": "Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.", "spans": {"MALWARE: Kobalos": [[0, 7], [91, 98], [325, 332]], "MALWARE: Solar": [[82, 87]], "SYSTEM: Linux": [[62, 67]]}, "info": {"id": "mitre_mw_0544", "source": "mitre_attack", "mitre_id": "S0641", "name": "Kobalos", "type": "malware"}} | |
| {"text": "Shamoon is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.", "spans": {"MALWARE: Kwampirs": [[318, 326]], "MALWARE: Shamoon": [[0, 7], [138, 145], [152, 159], [194, 201], [305, 312], [392, 399]], "TOOL: RawDisk": [[232, 239]]}, "info": {"id": "mitre_mw_0545", "source": "mitre_attack", "mitre_id": "S0140", "name": "Shamoon", "type": "malware"}} | |
| {"text": "Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics.", "spans": {"MALWARE: Brave Prince": [[154, 166]], "MALWARE: Gold Dragon": [[0, 11], [122, 133]], "MALWARE: RunningRAT": [[171, 181]]}, "info": {"id": "mitre_mw_0546", "source": "mitre_attack", "mitre_id": "S0249", "name": "Gold Dragon", "type": "malware"}} | |
| {"text": "BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.", "spans": {"MALWARE: BONDUPDATER": [[0, 11]], "SYSTEM: PowerShell": [[17, 27]], "THREAT_ACTOR: OilRig": [[45, 51]]}, "info": {"id": "mitre_mw_0547", "source": "mitre_attack", "mitre_id": "S0360", "name": "BONDUPDATER", "type": "malware"}} | |
| {"text": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.", "spans": {"MALWARE: SHIPSHAPE": [[0, 9]], "THREAT_ACTOR: APT30": [[34, 39], [113, 118]]}, "info": {"id": "mitre_mw_0548", "source": "mitre_attack", "mitre_id": "S0028", "name": "SHIPSHAPE", "type": "malware"}} | |
| {"text": "Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.", "spans": {"THREAT_ACTOR: Threat Group-3390": [[91, 108]], "MALWARE: Pandora": [[0, 7]]}, "info": {"id": "mitre_mw_0549", "source": "mitre_attack", "mitre_id": "S0664", "name": "Pandora", "type": "malware"}} | |
| {"text": "ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.", "spans": {"THREAT_ACTOR: menuPass": [[58, 66]], "MALWARE: ChChes": [[0, 6]]}, "info": {"id": "mitre_mw_0550", "source": "mitre_attack", "mitre_id": "S0144", "name": "ChChes", "type": "malware"}} | |
| {"text": "Sys10 is a backdoor that was used throughout 2013 by Naikon.", "spans": {"THREAT_ACTOR: Naikon": [[53, 59]], "MALWARE: Sys10": [[0, 5]]}, "info": {"id": "mitre_mw_0551", "source": "mitre_attack", "mitre_id": "S0060", "name": "Sys10", "type": "malware"}} | |
| {"text": "BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.", "spans": {"MALWARE: BitPaymer": [[0, 9], [96, 105], [193, 202]], "MALWARE: Dridex": [[254, 260], [296, 302]]}, "info": {"id": "mitre_mw_0552", "source": "mitre_attack", "mitre_id": "S0570", "name": "BitPaymer", "type": "malware"}} | |
| {"text": "Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment.", "spans": {"MALWARE: Kinsing": [[0, 7]]}, "info": {"id": "mitre_mw_0553", "source": "mitre_attack", "mitre_id": "S0599", "name": "Kinsing", "type": "malware"}} | |
| {"text": "ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.", "spans": {"MALWARE: ProLock": [[0, 7], [152, 159]], "MALWARE: QakBot": [[144, 150]]}, "info": {"id": "mitre_mw_0554", "source": "mitre_attack", "mitre_id": "S0654", "name": "ProLock", "type": "malware"}} | |
| {"text": "ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.", "spans": {"MALWARE: ZLib": [[0, 4], [122, 126]]}, "info": {"id": "mitre_mw_0555", "source": "mitre_attack", "mitre_id": "S0086", "name": "ZLib", "type": "malware"}} | |
| {"text": "down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.", "spans": {"THREAT_ACTOR: BRONZE BUTLER": [[47, 60]], "MALWARE: down_new": [[0, 8]]}, "info": {"id": "mitre_mw_0556", "source": "mitre_attack", "mitre_id": "S0472", "name": "down_new", "type": "malware"}} | |
| {"text": "DarkComet is a Windows remote administration tool and backdoor.", "spans": {"MALWARE: DarkComet": [[0, 9]], "SYSTEM: Windows": [[15, 22]]}, "info": {"id": "mitre_mw_0557", "source": "mitre_attack", "mitre_id": "S0334", "name": "DarkComet", "type": "malware"}} | |
| {"text": "Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).", "spans": {"MALWARE: Dridex": [[0, 6], [109, 115], [253, 259]]}, "info": {"id": "mitre_mw_0558", "source": "mitre_attack", "mitre_id": "S0384", "name": "Dridex", "type": "malware"}} | |
| {"text": "Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.\n\nSecurity researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.", "spans": {"MALWARE: Small Sieve": [[0, 11], [241, 252]], "THREAT_ACTOR: MuddyWater": [[163, 173], [300, 310]], "SYSTEM: Telegram": [[17, 25]], "SYSTEM: Python": [[40, 46]]}, "info": {"id": "mitre_mw_0559", "source": "mitre_attack", "mitre_id": "S1035", "name": "Small Sieve", "type": "malware"}} | |
| {"text": "Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.", "spans": {"MALWARE: Net Crawler": [[0, 11], [227, 238]], "TOOL: PsExec": [[199, 205]], "SYSTEM: SMB": [[134, 137]]}, "info": {"id": "mitre_mw_0560", "source": "mitre_attack", "mitre_id": "S0056", "name": "Net Crawler", "type": "malware"}} | |
| {"text": "Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.", "spans": {"MALWARE: Troll Stealer": [[0, 13], [90, 103], [213, 226]], "MALWARE: AppleSeed": [[252, 261]], "THREAT_ACTOR: Kimsuky": [[70, 77], [293, 300]]}, "info": {"id": "mitre_mw_0561", "source": "mitre_attack", "mitre_id": "S1196", "name": "Troll Stealer", "type": "malware"}} | |
| {"text": "Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.", "spans": {"THREAT_ACTOR: Tonto Team": [[60, 70]], "MALWARE: Bisonal": [[0, 7]]}, "info": {"id": "mitre_mw_0562", "source": "mitre_attack", "mitre_id": "S0268", "name": "Bisonal", "type": "malware"}} | |
| {"text": "Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.", "spans": {"THREAT_ACTOR: HEXANE": [[108, 114]], "MALWARE: Milan": [[81, 86]], "MALWARE: Shark": [[0, 5]], "SYSTEM: .NET": [[46, 50]]}, "info": {"id": "mitre_mw_0563", "source": "mitre_attack", "mitre_id": "S1019", "name": "Shark", "type": "malware"}} | |
| {"text": "RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).", "spans": {"MALWARE: RotaJakiro": [[0, 10], [127, 137]], "THREAT_ACTOR: APT32": [[46, 51]], "SYSTEM: Linux": [[23, 28]]}, "info": {"id": "mitre_mw_0564", "source": "mitre_attack", "mitre_id": "S1078", "name": "RotaJakiro", "type": "malware"}} | |
| {"text": "4H RAT is malware that has been used by Putter Panda since at least 2007.", "spans": {"THREAT_ACTOR: Putter Panda": [[40, 52]], "MALWARE: 4H RAT": [[0, 6]]}, "info": {"id": "mitre_mw_0565", "source": "mitre_attack", "mitre_id": "S0065", "name": "4H RAT", "type": "malware"}} | |
| {"text": "Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.", "spans": {"MALWARE: Drovorub": [[0, 8]], "THREAT_ACTOR: APT28": [[117, 122]], "SYSTEM: Linux": [[14, 19]]}, "info": {"id": "mitre_mw_0566", "source": "mitre_attack", "mitre_id": "S0502", "name": "Drovorub", "type": "malware"}} | |
| {"text": "EnvyScout is a dropper that has been used by APT29 since at least 2021.", "spans": {"MALWARE: EnvyScout": [[0, 9]], "THREAT_ACTOR: APT29": [[45, 50]]}, "info": {"id": "mitre_mw_0567", "source": "mitre_attack", "mitre_id": "S0634", "name": "EnvyScout", "type": "malware"}} | |
| {"text": "VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.", "spans": {"THREAT_ACTOR: Volt Typhoon": [[190, 202]], "MALWARE: VersaMem": [[0, 8], [125, 133], [228, 236]], "MALWARE: Disco": [[98, 103]]}, "info": {"id": "mitre_mw_0568", "source": "mitre_attack", "mitre_id": "S1154", "name": "VersaMem", "type": "malware"}} | |
| {"text": "Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics.", "spans": {"MALWARE: Brave Prince": [[0, 12]], "MALWARE: Gold Dragon": [[137, 148], [174, 185]], "MALWARE: RunningRAT": [[190, 200]]}, "info": {"id": "mitre_mw_0569", "source": "mitre_attack", "mitre_id": "S0252", "name": "Brave Prince", "type": "malware"}} | |
| {"text": "Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.", "spans": {"THREAT_ACTOR: ToddyCat": [[45, 53]], "MALWARE: Pcexter": [[0, 7]]}, "info": {"id": "mitre_mw_0570", "source": "mitre_attack", "mitre_id": "S1102", "name": "Pcexter", "type": "malware"}} | |
| {"text": "ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.", "spans": {"THREAT_ACTOR: Lazarus Group": [[49, 62], [197, 210]], "MALWARE: ThreatNeedle": [[0, 12]]}, "info": {"id": "mitre_mw_0571", "source": "mitre_attack", "mitre_id": "S0665", "name": "ThreatNeedle", "type": "malware"}} | |
| {"text": "Spark is a Windows backdoor and has been in use since as early as 2017.", "spans": {"SYSTEM: Windows": [[11, 18]], "MALWARE: Spark": [[0, 5]]}, "info": {"id": "mitre_mw_0572", "source": "mitre_attack", "mitre_id": "S0543", "name": "Spark", "type": "malware"}} | |
| {"text": "Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.", "spans": {"MALWARE: Cobalt Strike": [[0, 13], [224, 237], [405, 418]], "TOOL: Mimikatz": [[495, 503]]}, "info": {"id": "mitre_mw_0573", "source": "mitre_attack", "mitre_id": "S0154", "name": "Cobalt Strike", "type": "malware"}} | |
| {"text": "LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with LunarLoader and LunarWeb. LunarMail is designed to be deployed on workstations and can use email messages and Steganography in command and control.", "spans": {"MALWARE: LunarLoader": [[166, 177]], "MALWARE: LunarMail": [[0, 9], [192, 201]], "MALWARE: LunarWeb": [[182, 190]], "THREAT_ACTOR: Turla": [[46, 51]]}, "info": {"id": "mitre_mw_0574", "source": "mitre_attack", "mitre_id": "S1142", "name": "LunarMail", "type": "malware"}} | |
| {"text": "RainyDay is a backdoor tool that has been used by Naikon since at least 2020.", "spans": {"MALWARE: RainyDay": [[0, 8]], "THREAT_ACTOR: Naikon": [[50, 56]]}, "info": {"id": "mitre_mw_0575", "source": "mitre_attack", "mitre_id": "S0629", "name": "RainyDay", "type": "malware"}} | |
| {"text": "GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.", "spans": {"MALWARE: GoldFinder": [[0, 10], [276, 286]], "SYSTEM: SolarWinds": [[349, 359]], "THREAT_ACTOR: APT29": [[374, 379]], "TOOL: route": [[68, 73]], "SYSTEM: HTTP": [[23, 27]]}, "info": {"id": "mitre_mw_0576", "source": "mitre_attack", "mitre_id": "S0597", "name": "GoldFinder", "type": "malware"}} | |
| {"text": "MURKYTOP is a reconnaissance tool used by Leviathan.", "spans": {"THREAT_ACTOR: Leviathan": [[42, 51]], "MALWARE: MURKYTOP": [[0, 8]]}, "info": {"id": "mitre_mw_0577", "source": "mitre_attack", "mitre_id": "S0233", "name": "MURKYTOP", "type": "malware"}} | |
| {"text": "RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#.", "spans": {"THREAT_ACTOR: DarkHydrus": [[32, 42]], "MALWARE: RogueRobin": [[0, 10]], "SYSTEM: PowerShell": [[70, 80]]}, "info": {"id": "mitre_mw_0578", "source": "mitre_attack", "mitre_id": "S0270", "name": "RogueRobin", "type": "malware"}} | |
| {"text": "VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.", "spans": {"MALWARE: PowerShower": [[152, 163]], "THREAT_ACTOR: Inception": [[45, 54]], "MALWARE: VBShower": [[0, 8], [76, 84]]}, "info": {"id": "mitre_mw_0579", "source": "mitre_attack", "mitre_id": "S0442", "name": "VBShower", "type": "malware"}} | |
| {"text": "WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.", "spans": {"THREAT_ACTOR: Windshift": [[49, 58]], "MALWARE: WindTail": [[0, 8], [60, 68]], "SYSTEM: macOS": [[14, 19]]}, "info": {"id": "mitre_mw_0580", "source": "mitre_attack", "mitre_id": "S0466", "name": "WindTail", "type": "malware"}} | |
| {"text": "LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.", "spans": {"MALWARE: LIGHTWIRE": [[0, 9]], "SYSTEM: Perl": [[36, 40]]}, "info": {"id": "mitre_mw_0581", "source": "mitre_attack", "mitre_id": "S1119", "name": "LIGHTWIRE", "type": "malware"}} | |
| {"text": "THINCRUST is a Python-based backdoor tool that has been used by UNC3886 since at least 2023.", "spans": {"MALWARE: THINCRUST": [[0, 9]], "THREAT_ACTOR: UNC3886": [[64, 71]], "SYSTEM: Python": [[15, 21]]}, "info": {"id": "mitre_mw_0582", "source": "mitre_attack", "mitre_id": "S1223", "name": "THINCRUST", "type": "malware"}} | |
| {"text": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007.", "spans": {"MALWARE: BISCUIT": [[0, 7]], "THREAT_ACTOR: APT1": [[44, 48]]}, "info": {"id": "mitre_mw_0583", "source": "mitre_attack", "mitre_id": "S0017", "name": "BISCUIT", "type": "malware"}} | |
| {"text": "More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4.", "spans": {"THREAT_ACTOR: Cobalt Group": [[40, 52]], "MALWARE: More_eggs": [[0, 9], [105, 114]], "THREAT_ACTOR: FIN6": [[57, 61]]}, "info": {"id": "mitre_mw_0584", "source": "mitre_attack", "mitre_id": "S0284", "name": "More_eggs", "type": "malware"}} | |
| {"text": "DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.", "spans": {"THREAT_ACTOR: Lazarus Group": [[62, 75], [226, 239]], "MALWARE: DRATzarus": [[0, 9], [163, 172]], "MALWARE: Bankshot": [[198, 206]]}, "info": {"id": "mitre_mw_0585", "source": "mitre_attack", "mitre_id": "S0694", "name": "DRATzarus", "type": "malware"}} | |
| {"text": "Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.", "spans": {"THREAT_ACTOR: Wizard Spider": [[247, 260]], "MALWARE: Diavol": [[0, 6], [187, 193]], "MALWARE: Bazar": [[304, 309]]}, "info": {"id": "mitre_mw_0586", "source": "mitre_attack", "mitre_id": "S0659", "name": "Diavol", "type": "malware"}} | |
| {"text": "NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork.", "spans": {"MALWARE: NDiskMonitor": [[0, 12]], "THREAT_ACTOR: Patchwork": [[79, 88]], "SYSTEM: .NET": [[45, 49]]}, "info": {"id": "mitre_mw_0587", "source": "mitre_attack", "mitre_id": "S0272", "name": "NDiskMonitor", "type": "malware"}} | |
| {"text": "Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.", "spans": {"MALWARE: TrickBot": [[111, 119]], "MALWARE: IcedID": [[124, 130]], "MALWARE: Emotet": [[0, 6], [132, 138]]}, "info": {"id": "mitre_mw_0588", "source": "mitre_attack", "mitre_id": "S0367", "name": "Emotet", "type": "malware"}} | |
| {"text": "SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.", "spans": {"MALWARE: FIVEHANDS": [[138, 147]], "MALWARE: SombRAT": [[0, 7]]}, "info": {"id": "mitre_mw_0589", "source": "mitre_attack", "mitre_id": "S0615", "name": "SombRAT", "type": "malware"}} | |
| {"text": "KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.", "spans": {"MALWARE: KeyBoy": [[0, 6]]}, "info": {"id": "mitre_mw_0590", "source": "mitre_attack", "mitre_id": "S0387", "name": "KeyBoy", "type": "malware"}} | |
| {"text": "Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.", "spans": {"THREAT_ACTOR: Cinnamon Tempest": [[50, 66]], "MALWARE: Cheerscrypt": [[0, 11], [155, 166]], "SYSTEM: Windows": [[113, 120]], "MALWARE: Babuk": [[195, 200], [315, 320]]}, "info": {"id": "mitre_mw_0591", "source": "mitre_attack", "mitre_id": "S1096", "name": "Cheerscrypt", "type": "malware"}} | |
| {"text": "SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.", "spans": {"SYSTEM: SolarWinds Orion": [[56, 72]], "MALWARE: SUNBURST": [[0, 8]], "THREAT_ACTOR: APT29": [[115, 120]]}, "info": {"id": "mitre_mw_0592", "source": "mitre_attack", "mitre_id": "S0559", "name": "SUNBURST", "type": "malware"}} | |
| {"text": "OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.", "spans": {"MALWARE: OSX/Shlayer": [[0, 11]], "SYSTEM: macOS": [[54, 59]]}, "info": {"id": "mitre_mw_0593", "source": "mitre_attack", "mitre_id": "S0402", "name": "OSX/Shlayer", "type": "malware"}} | |
| {"text": "WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.", "spans": {"MALWARE: WarzoneRAT": [[0, 10]]}, "info": {"id": "mitre_mw_0594", "source": "mitre_attack", "mitre_id": "S0670", "name": "WarzoneRAT", "type": "malware"}} | |
| {"text": "WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.", "spans": {"THREAT_ACTOR: Indrik Spider": [[50, 63]], "MALWARE: WastedLocker": [[0, 12], [108, 120]], "TOOL: attrib": [[36, 42]]}, "info": {"id": "mitre_mw_0595", "source": "mitre_attack", "mitre_id": "S0612", "name": "WastedLocker", "type": "malware"}} | |
| {"text": "Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks. Taidoor has primarily been used against Taiwanese government organizations since at least 2010.", "spans": {"MALWARE: Taidoor": [[0, 7], [133, 140]]}, "info": {"id": "mitre_mw_0596", "source": "mitre_attack", "mitre_id": "S0011", "name": "Taidoor", "type": "malware"}} | |
| {"text": "Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.", "spans": {"MALWARE: Black Basta": [[0, 11], [202, 213], [462, 473], [702, 713]], "SYSTEM: Windows": [[169, 176]], "MALWARE: Conti": [[776, 781]]}, "info": {"id": "mitre_mw_0597", "source": "mitre_attack", "mitre_id": "S1070", "name": "Black Basta", "type": "malware"}} | |
| {"text": "CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.", "spans": {"MALWARE: CozyCar": [[0, 7]], "THREAT_ACTOR: APT29": [[36, 41]]}, "info": {"id": "mitre_mw_0598", "source": "mitre_attack", "mitre_id": "S0046", "name": "CozyCar", "type": "malware"}} | |
| {"text": "Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences.", "spans": {"THREAT_ACTOR: CopyKittens": [[42, 53]], "MALWARE: Matryoshka": [[0, 10]]}, "info": {"id": "mitre_mw_0599", "source": "mitre_attack", "mitre_id": "S0167", "name": "Matryoshka", "type": "malware"}} | |
| {"text": "ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"ShimRat\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence.", "spans": {"MALWARE: ShimRat": [[0, 7], [226, 233]], "SYSTEM: Windows": [[277, 284]], "THREAT_ACTOR: Mofang": [[61, 67]]}, "info": {"id": "mitre_mw_0600", "source": "mitre_attack", "mitre_id": "S0444", "name": "ShimRat", "type": "malware"}} | |
| {"text": "Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.", "spans": {"MALWARE: HotCroissant": [[84, 96]], "MALWARE: Rifdoor": [[0, 7]]}, "info": {"id": "mitre_mw_0601", "source": "mitre_attack", "mitre_id": "S0433", "name": "Rifdoor", "type": "malware"}} | |
| {"text": "HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.", "spans": {"MALWARE: Downdelph": [[68, 77]], "MALWARE: HIDEDRV": [[0, 7]], "THREAT_ACTOR: APT28": [[29, 34]]}, "info": {"id": "mitre_mw_0602", "source": "mitre_attack", "mitre_id": "S0135", "name": "HIDEDRV", "type": "malware"}} | |
| {"text": "hcdLoader is a remote access tool (RAT) that has been used by APT18.", "spans": {"MALWARE: hcdLoader": [[0, 9]], "THREAT_ACTOR: APT18": [[62, 67]]}, "info": {"id": "mitre_mw_0603", "source": "mitre_attack", "mitre_id": "S0071", "name": "hcdLoader", "type": "malware"}} | |
| {"text": "BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.", "spans": {"THREAT_ACTOR: Ke3chang": [[35, 43]], "MALWARE: BS2005": [[0, 6]]}, "info": {"id": "mitre_mw_0604", "source": "mitre_attack", "mitre_id": "S0014", "name": "BS2005", "type": "malware"}} | |
| {"text": "Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard.", "spans": {"MALWARE: Hildegard": [[0, 9], [218, 227]], "THREAT_ACTOR: TeamTNT": [[170, 177]]}, "info": {"id": "mitre_mw_0605", "source": "mitre_attack", "mitre_id": "S0601", "name": "Hildegard", "type": "malware"}} | |
| {"text": "FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.", "spans": {"MALWARE: DEATHRANSOM": [[37, 48]], "MALWARE: FIVEHANDS": [[0, 9], [76, 85]], "MALWARE: SombRAT": [[197, 204]]}, "info": {"id": "mitre_mw_0606", "source": "mitre_attack", "mitre_id": "S0618", "name": "FIVEHANDS", "type": "malware"}} | |
| {"text": "AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.", "spans": {"MALWARE: AuTo Stealer": [[0, 12]], "THREAT_ACTOR: SideCopy": [[56, 64]]}, "info": {"id": "mitre_mw_0607", "source": "mitre_attack", "mitre_id": "S1029", "name": "AuTo Stealer", "type": "malware"}} | |
| {"text": "Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.", "spans": {"MALWARE: Wiper": [[0, 5]]}, "info": {"id": "mitre_mw_0608", "source": "mitre_attack", "mitre_id": "S0041", "name": "Wiper", "type": "malware"}} | |
| {"text": "RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.", "spans": {"MALWARE: RansomHub": [[0, 9], [198, 207], [364, 373]], "SYSTEM: Windows": [[60, 67]], "SYSTEM: Linux": [[75, 80]]}, "info": {"id": "mitre_mw_0609", "source": "mitre_attack", "mitre_id": "S1212", "name": "RansomHub", "type": "malware"}} | |
| {"text": "Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.", "spans": {"MALWARE: Carbanak": [[196, 204]], "MALWARE: Carberp": [[0, 7], [99, 106]]}, "info": {"id": "mitre_mw_0610", "source": "mitre_attack", "mitre_id": "S0484", "name": "Carberp", "type": "malware"}} | |
| {"text": "RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines.", "spans": {"THREAT_ACTOR: Lazarus Group": [[45, 58]], "MALWARE: RATANKBA": [[0, 8], [60, 68], [344, 352]]}, "info": {"id": "mitre_mw_0611", "source": "mitre_attack", "mitre_id": "S0241", "name": "RATANKBA", "type": "malware"}} | |
| {"text": "PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.", "spans": {"MALWARE: PolyglotDuke": [[0, 12], [78, 90]], "MALWARE: MiniDuke": [[113, 121]], "THREAT_ACTOR: APT29": [[51, 56]]}, "info": {"id": "mitre_mw_0612", "source": "mitre_attack", "mitre_id": "S0518", "name": "PolyglotDuke", "type": "malware"}} | |
| {"text": "WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server.", "spans": {"MALWARE: WEBC2": [[0, 5], [74, 79]], "THREAT_ACTOR: APT1": [[46, 50]]}, "info": {"id": "mitre_mw_0613", "source": "mitre_attack", "mitre_id": "S0109", "name": "WEBC2", "type": "malware"}} | |
| {"text": "RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality.", "spans": {"MALWARE: RemoteCMD": [[0, 9]], "THREAT_ACTOR: APT3": [[35, 39]]}, "info": {"id": "mitre_mw_0614", "source": "mitre_attack", "mitre_id": "S0166", "name": "RemoteCMD", "type": "malware"}} | |
| {"text": "UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. UPSTYLE has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.", "spans": {"CVE_ID: CVE-2024-3400": [[93, 106]], "MALWARE: UPSTYLE": [[0, 7], [122, 129]], "SYSTEM: Python": [[13, 19]]}, "info": {"id": "mitre_mw_0615", "source": "mitre_attack", "mitre_id": "S1164", "name": "UPSTYLE", "type": "malware"}} | |
| {"text": "AcidRain is an ELF binary targeting modems and routers using MIPS architecture. AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team. US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.", "spans": {"THREAT_ACTOR: Sandworm Team": [[334, 347], [499, 512]], "MALWARE: VPNFilter": [[307, 316]], "MALWARE: AcidRain": [[0, 8], [80, 88], [391, 399], [474, 482]], "TOOL: route": [[47, 52]]}, "info": {"id": "mitre_mw_0616", "source": "mitre_attack", "mitre_id": "S1125", "name": "AcidRain", "type": "malware"}} | |
| {"text": "HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.", "spans": {"MALWARE: HAWKBALL": [[0, 8]]}, "info": {"id": "mitre_mw_0617", "source": "mitre_attack", "mitre_id": "S0391", "name": "HAWKBALL", "type": "malware"}} | |
| {"text": "Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.", "spans": {"MALWARE: Action RAT": [[0, 10]], "THREAT_ACTOR: SideCopy": [[75, 83]]}, "info": {"id": "mitre_mw_0618", "source": "mitre_attack", "mitre_id": "S1028", "name": "Action RAT", "type": "malware"}} | |
| {"text": "CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.", "spans": {"THREAT_ACTOR: Mustang Panda": [[49, 62], [104, 117]], "MALWARE: CANONSTAGER": [[0, 11], [246, 257], [370, 381]], "SYSTEM: Windows": [[306, 313]]}, "info": {"id": "mitre_mw_0619", "source": "mitre_attack", "mitre_id": "S1237", "name": "CANONSTAGER", "type": "malware"}} | |
| {"text": "Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.", "spans": {"SYSTEM: Kubernetes": [[34, 44]], "MALWARE: Siloscape": [[0, 9], [82, 91]], "SYSTEM: Windows": [[62, 69]]}, "info": {"id": "mitre_mw_0620", "source": "mitre_attack", "mitre_id": "S0623", "name": "Siloscape", "type": "malware"}} | |
| {"text": "BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.", "spans": {"THREAT_ACTOR: Leviathan": [[31, 40]], "MALWARE: BADFLICK": [[0, 8]]}, "info": {"id": "mitre_mw_0621", "source": "mitre_attack", "mitre_id": "S0642", "name": "BADFLICK", "type": "malware"}} | |
| {"text": "MegaCortex is ransomware that first appeared in May 2019. MegaCortex has mainly targeted industrial organizations.", "spans": {"MALWARE: MegaCortex": [[0, 10], [58, 68]]}, "info": {"id": "mitre_mw_0622", "source": "mitre_attack", "mitre_id": "S0576", "name": "MegaCortex", "type": "malware"}} | |
| {"text": "Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.", "spans": {"SYSTEM: Windows": [[10, 17]], "MALWARE: Cuba": [[0, 4]]}, "info": {"id": "mitre_mw_0623", "source": "mitre_attack", "mitre_id": "S0625", "name": "Cuba", "type": "malware"}} | |
| {"text": "Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.", "spans": {"THREAT_ACTOR: Aoqin Dragon": [[75, 87]], "MALWARE: Mongall": [[0, 7]]}, "info": {"id": "mitre_mw_0624", "source": "mitre_attack", "mitre_id": "S1026", "name": "Mongall", "type": "malware"}} | |
| {"text": "Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.", "spans": {"THREAT_ACTOR: Axiom": [[39, 44]], "MALWARE: Hikit": [[0, 5]]}, "info": {"id": "mitre_mw_0625", "source": "mitre_attack", "mitre_id": "S0009", "name": "Hikit", "type": "malware"}} | |
| {"text": "NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.", "spans": {"MALWARE: NetTraveler": [[0, 11]]}, "info": {"id": "mitre_mw_0626", "source": "mitre_attack", "mitre_id": "S0033", "name": "NetTraveler", "type": "malware"}} | |
| {"text": "TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.", "spans": {"THREAT_ACTOR: Wizard Spider": [[167, 180]], "MALWARE: TrickBot": [[0, 8], [122, 130]], "MALWARE: Dyre": [[116, 120]]}, "info": {"id": "mitre_mw_0627", "source": "mitre_attack", "mitre_id": "S0266", "name": "TrickBot", "type": "malware"}} | |
| {"text": "Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech in a 2010 campaign.", "spans": {"THREAT_ACTOR: BlackTech": [[93, 102]], "MALWARE: Kivars": [[0, 6]]}, "info": {"id": "mitre_mw_0628", "source": "mitre_attack", "mitre_id": "S0437", "name": "Kivars", "type": "malware"}} | |
| {"text": "HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.", "spans": {"MALWARE: HiddenWasp": [[0, 10]], "SYSTEM: Linux": [[16, 21]]}, "info": {"id": "mitre_mw_0629", "source": "mitre_attack", "mitre_id": "S0394", "name": "HiddenWasp", "type": "malware"}} | |
| {"text": "PipeMon is a multi-stage modular backdoor used by Winnti Group.", "spans": {"THREAT_ACTOR: Winnti Group": [[50, 62]], "MALWARE: PipeMon": [[0, 7]]}, "info": {"id": "mitre_mw_0630", "source": "mitre_attack", "mitre_id": "S0501", "name": "PipeMon", "type": "malware"}} | |
| {"text": "Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.", "spans": {"MALWARE: FlawedGrace": [[75, 86]], "MALWARE: FlawedAmmyy": [[88, 99]], "MALWARE: SDBbot": [[112, 118]], "THREAT_ACTOR: TA505": [[58, 63]], "MALWARE: Get2": [[0, 4]]}, "info": {"id": "mitre_mw_0631", "source": "mitre_attack", "mitre_id": "S0460", "name": "Get2", "type": "malware"}} | |
| {"text": "Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. Raccoon Stealer has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.", "spans": {"MALWARE: Raccoon Stealer": [[0, 15], [147, 162]]}, "info": {"id": "mitre_mw_0632", "source": "mitre_attack", "mitre_id": "S1148", "name": "Raccoon Stealer", "type": "malware"}} | |
| {"text": "Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations. Industroyer was used in the attacks on the Ukrainian power grid in December 2016. This is the first publicly known malware specifically designed to target and impact operations in the electric grid.", "spans": {"MALWARE: Industroyer": [[0, 11], [195, 206]]}, "info": {"id": "mitre_mw_0633", "source": "mitre_attack", "mitre_id": "S0604", "name": "Industroyer", "type": "malware"}} | |
| {"text": "PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.", "spans": {"THREAT_ACTOR: MuddyWater": [[105, 115]], "SYSTEM: PowerShell": [[56, 66]], "MALWARE: PowGoop": [[0, 7]]}, "info": {"id": "mitre_mw_0634", "source": "mitre_attack", "mitre_id": "S1046", "name": "PowGoop", "type": "malware"}} | |
| {"text": "OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.", "spans": {"SYSTEM: Microsoft Exchange": [[58, 76]], "THREAT_ACTOR: Threat Group-3390": [[124, 141]], "MALWARE: OwaAuth": [[0, 7]]}, "info": {"id": "mitre_mw_0635", "source": "mitre_attack", "mitre_id": "S0072", "name": "OwaAuth", "type": "malware"}} | |
| {"text": "SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.", "spans": {"THREAT_ACTOR: Mustang Panda": [[255, 268]], "MALWARE: SplatDropper": [[0, 12], [108, 120], [214, 226]]}, "info": {"id": "mitre_mw_0636", "source": "mitre_attack", "mitre_id": "S1232", "name": "SplatDropper", "type": "malware"}} | |
| {"text": "Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.", "spans": {"SYSTEM: PowerShell": [[55, 65]], "MALWARE: Ferocious": [[0, 9]], "THREAT_ACTOR: WIRTE": [[96, 101]]}, "info": {"id": "mitre_mw_0637", "source": "mitre_attack", "mitre_id": "S0679", "name": "Ferocious", "type": "malware"}} | |
| {"text": "Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.", "spans": {"MALWARE: Hacking Team UEFI Rootkit": [[0, 25]]}, "info": {"id": "mitre_mw_0638", "source": "mitre_attack", "mitre_id": "S0047", "name": "Hacking Team UEFI Rootkit", "type": "malware"}} | |
| {"text": "JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way.", "spans": {"THREAT_ACTOR: PLATINUM": [[47, 55]], "MALWARE: Dipsind": [[98, 105]], "MALWARE: JPIN": [[0, 4], [89, 93]]}, "info": {"id": "mitre_mw_0639", "source": "mitre_attack", "mitre_id": "S0201", "name": "JPIN", "type": "malware"}} | |
| {"text": "GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.", "spans": {"MALWARE: GLASSTOKEN": [[0, 10]]}, "info": {"id": "mitre_mw_0640", "source": "mitre_attack", "mitre_id": "S1117", "name": "GLASSTOKEN", "type": "malware"}} | |
| {"text": "CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.", "spans": {"MALWARE: CALENDAR": [[0, 8]], "THREAT_ACTOR: APT1": [[28, 32]]}, "info": {"id": "mitre_mw_0641", "source": "mitre_attack", "mitre_id": "S0025", "name": "CALENDAR", "type": "malware"}} | |
| {"text": "RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.", "spans": {"MALWARE: BOOSTWRITE": [[33, 43]], "MALWARE: RDFSNIFFER": [[0, 10]]}, "info": {"id": "mitre_mw_0642", "source": "mitre_attack", "mitre_id": "S0416", "name": "RDFSNIFFER", "type": "malware"}} | |
| {"text": "Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson.", "spans": {"MALWARE: Crimson": [[95, 102]], "SYSTEM: Python": [[11, 17]], "MALWARE: Peppy": [[0, 5]]}, "info": {"id": "mitre_mw_0643", "source": "mitre_attack", "mitre_id": "S0643", "name": "Peppy", "type": "malware"}} | |
| {"text": "LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.", "spans": {"MALWARE: LITTLELAMB.WOOLTEA": [[0, 18]]}, "info": {"id": "mitre_mw_0644", "source": "mitre_attack", "mitre_id": "S1121", "name": "LITTLELAMB.WOOLTEA", "type": "malware"}} | |
| {"text": "NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea.", "spans": {"MALWARE: NavRAT": [[0, 6]]}, "info": {"id": "mitre_mw_0645", "source": "mitre_attack", "mitre_id": "S0247", "name": "NavRAT", "type": "malware"}} | |
| {"text": "BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor. BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.", "spans": {"MALWARE: BlackByte 2.0 Ransomware": [[239, 263]], "MALWARE: BlackByte Ransomware": [[0, 20], [71, 91], [178, 198]], "THREAT_ACTOR: BlackByte": [[49, 58], [215, 224]]}, "info": {"id": "mitre_mw_0646", "source": "mitre_attack", "mitre_id": "S1180", "name": "BlackByte Ransomware", "type": "malware"}} | |
| {"text": "Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.", "spans": {"MALWARE: GoldMax": [[369, 376]], "MALWARE: Tomiris": [[0, 7], [357, 364]], "SYSTEM: DNS": [[216, 219]]}, "info": {"id": "mitre_mw_0647", "source": "mitre_attack", "mitre_id": "S0671", "name": "Tomiris", "type": "malware"}} | |
| {"text": "Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.", "spans": {"MALWARE: Line Runner": [[0, 11], [119, 130]], "SYSTEM: Lua": [[106, 109]]}, "info": {"id": "mitre_mw_0648", "source": "mitre_attack", "mitre_id": "S1188", "name": "Line Runner", "type": "malware"}} | |
| {"text": "GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.", "spans": {"MALWARE: BlackEnergy": [[109, 120]], "MALWARE: GreyEnergy": [[0, 10], [69, 79]]}, "info": {"id": "mitre_mw_0649", "source": "mitre_attack", "mitre_id": "S0342", "name": "GreyEnergy", "type": "malware"}} | |
| {"text": "PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong. PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.", "spans": {"THREAT_ACTOR: BlackTech": [[59, 68]], "MALWARE: TSCookie": [[177, 185]], "MALWARE: PLEAD": [[0, 5], [142, 147], [261, 266]]}, "info": {"id": "mitre_mw_0650", "source": "mitre_attack", "mitre_id": "S0435", "name": "PLEAD", "type": "malware"}} | |
| {"text": "PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.", "spans": {"MALWARE: PACEMAKER": [[0, 9]], "THREAT_ACTOR: APT5": [[51, 55]]}, "info": {"id": "mitre_mw_0651", "source": "mitre_attack", "mitre_id": "S1109", "name": "PACEMAKER", "type": "malware"}} | |
| {"text": "ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.", "spans": {"MALWARE: ODAgent": [[0, 7]], "THREAT_ACTOR: OilRig": [[54, 60]], "SYSTEM: .NET": [[16, 20]]}, "info": {"id": "mitre_mw_0652", "source": "mitre_attack", "mitre_id": "S1170", "name": "ODAgent", "type": "malware"}} | |
| {"text": "NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.", "spans": {"MALWARE: NanoCore": [[0, 8]], "SYSTEM: .NET": [[54, 58]]}, "info": {"id": "mitre_mw_0653", "source": "mitre_attack", "mitre_id": "S0336", "name": "NanoCore", "type": "malware"}} | |
| {"text": "MacSpy is a malware-as-a-service offered on the darkweb .", "spans": {"MALWARE: MacSpy": [[0, 6]]}, "info": {"id": "mitre_mw_0654", "source": "mitre_attack", "mitre_id": "S0282", "name": "MacSpy", "type": "malware"}} | |
| {"text": "FatDuke is a backdoor used by APT29 since at least 2016.", "spans": {"MALWARE: FatDuke": [[0, 7]], "THREAT_ACTOR: APT29": [[30, 35]]}, "info": {"id": "mitre_mw_0655", "source": "mitre_attack", "mitre_id": "S0512", "name": "FatDuke", "type": "malware"}} | |
| {"text": "Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.", "spans": {"MALWARE: TrickBot": [[85, 93]], "MALWARE: Anchor": [[0, 6]]}, "info": {"id": "mitre_mw_0656", "source": "mitre_attack", "mitre_id": "S0504", "name": "Anchor", "type": "malware"}} | |
| {"text": "Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.", "spans": {"MALWARE: Penquin": [[0, 7]], "THREAT_ACTOR: Turla": [[71, 76]], "SYSTEM: Linux": [[87, 92]]}, "info": {"id": "mitre_mw_0657", "source": "mitre_attack", "mitre_id": "S0587", "name": "Penquin", "type": "malware"}} | |
| {"text": "Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.", "spans": {"THREAT_ACTOR: Lazarus Group": [[313, 326]], "MALWARE: Rising Sun": [[0, 10], [108, 118], [271, 281]]}, "info": {"id": "mitre_mw_0658", "source": "mitre_attack", "mitre_id": "S0448", "name": "Rising Sun", "type": "malware"}} | |
| {"text": "Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.", "spans": {"THREAT_ACTOR: ToddyCat": [[52, 60]], "MALWARE: Samurai": [[0, 7], [82, 89]]}, "info": {"id": "mitre_mw_0659", "source": "mitre_attack", "mitre_id": "S1099", "name": "Samurai", "type": "malware"}} | |
| {"text": "KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.", "spans": {"THREAT_ACTOR: APT37": [[393, 398]], "MALWARE: NOKKI": [[171, 176]], "MALWARE: KONNI": [[0, 5], [127, 132], [384, 389]]}, "info": {"id": "mitre_mw_0660", "source": "mitre_attack", "mitre_id": "S0356", "name": "KONNI", "type": "malware"}} | |
| {"text": "Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.", "spans": {"THREAT_ACTOR: Scarlet Mimic": [[56, 69]], "MALWARE: FakeM": [[105, 110]], "MALWARE: Psylo": [[0, 5]]}, "info": {"id": "mitre_mw_0661", "source": "mitre_attack", "mitre_id": "S0078", "name": "Psylo", "type": "malware"}} | |
| {"text": "IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.", "spans": {"MALWARE: IceApple": [[0, 8]], "SYSTEM: IIS": [[53, 56]]}, "info": {"id": "mitre_mw_0662", "source": "mitre_attack", "mitre_id": "S1022", "name": "IceApple", "type": "malware"}} | |
| {"text": "PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.", "spans": {"THREAT_ACTOR: Gamaredon Group": [[61, 76]], "MALWARE: PowerPunch": [[0, 10]]}, "info": {"id": "mitre_mw_0663", "source": "mitre_attack", "mitre_id": "S0685", "name": "PowerPunch", "type": "malware"}} | |
| {"text": "PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.", "spans": {"MALWARE: PowerShower": [[0, 11]], "SYSTEM: PowerShell": [[17, 27]], "THREAT_ACTOR: Inception": [[45, 54]]}, "info": {"id": "mitre_mw_0664", "source": "mitre_attack", "mitre_id": "S0441", "name": "PowerShower", "type": "malware"}} | |
| {"text": "Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.", "spans": {"MALWARE: OceanSalt": [[105, 114]], "MALWARE: Seasalt": [[0, 7]], "THREAT_ACTOR: APT1": [[43, 47]]}, "info": {"id": "mitre_mw_0665", "source": "mitre_attack", "mitre_id": "S0345", "name": "Seasalt", "type": "malware"}} | |
| {"text": "BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.", "spans": {"MALWARE: BlackEnergy": [[0, 11], [441, 452], [459, 470]]}, "info": {"id": "mitre_mw_0666", "source": "mitre_attack", "mitre_id": "S0089", "name": "BlackEnergy", "type": "malware"}} | |
| {"text": "Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia.", "spans": {"MALWARE: Bad Rabbit": [[0, 10], [103, 113]]}, "info": {"id": "mitre_mw_0667", "source": "mitre_attack", "mitre_id": "S0606", "name": "Bad Rabbit", "type": "malware"}} | |
| {"text": "VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.", "spans": {"MALWARE: VaporRage": [[0, 9]], "THREAT_ACTOR: APT29": [[58, 63]]}, "info": {"id": "mitre_mw_0668", "source": "mitre_attack", "mitre_id": "S0636", "name": "VaporRage", "type": "malware"}} | |
| {"text": "P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.", "spans": {"THREAT_ACTOR: menuPass": [[36, 44]], "MALWARE: P8RAT": [[0, 5]]}, "info": {"id": "mitre_mw_0669", "source": "mitre_attack", "mitre_id": "S0626", "name": "P8RAT", "type": "malware"}} | |
| {"text": "SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.", "spans": {"MALWARE: SLIGHTPULSE": [[0, 11]], "THREAT_ACTOR: APT5": [[44, 48]]}, "info": {"id": "mitre_mw_0670", "source": "mitre_attack", "mitre_id": "S1110", "name": "SLIGHTPULSE", "type": "malware"}} | |
| {"text": "Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts.", "spans": {"THREAT_ACTOR: Elderwood": [[34, 43]], "MALWARE: Linfo": [[0, 5]]}, "info": {"id": "mitre_mw_0671", "source": "mitre_attack", "mitre_id": "S0211", "name": "Linfo", "type": "malware"}} | |
| {"text": "Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.", "spans": {"THREAT_ACTOR: PittyTiger": [[74, 84]], "MALWARE: Lurid": [[0, 5]]}, "info": {"id": "mitre_mw_0672", "source": "mitre_attack", "mitre_id": "S0010", "name": "Lurid", "type": "malware"}} | |
| {"text": "Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.", "spans": {"MALWARE: Carbanak": [[110, 118]], "MALWARE: Lizar": [[0, 5]], "THREAT_ACTOR: FIN7": [[147, 151]], "SYSTEM: .NET": [[56, 60]]}, "info": {"id": "mitre_mw_0673", "source": "mitre_attack", "mitre_id": "S0681", "name": "Lizar", "type": "malware"}} | |
| {"text": "SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019.", "spans": {"MALWARE: SpeakUp": [[0, 7]], "SYSTEM: Linux": [[47, 52]]}, "info": {"id": "mitre_mw_0674", "source": "mitre_attack", "mitre_id": "S0374", "name": "SpeakUp", "type": "malware"}} | |
| {"text": "HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leveraged by Mustang Panda and was first observed utilized in 2024.", "spans": {"THREAT_ACTOR: Mustang Panda": [[106, 119]], "MALWARE: HIUPAN": [[0, 6]]}, "info": {"id": "mitre_mw_0675", "source": "mitre_attack", "mitre_id": "S1230", "name": "HIUPAN", "type": "malware"}} | |
| {"text": "Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021 to target a financial institution in the United States. Sardonic has a plugin system that can load specially made DLLs and execute their functions.", "spans": {"MALWARE: Sardonic": [[0, 8], [158, 166]], "THREAT_ACTOR: FIN8": [[72, 76]]}, "info": {"id": "mitre_mw_0676", "source": "mitre_attack", "mitre_id": "S1085", "name": "Sardonic", "type": "malware"}} | |
| {"text": "Embargo is a ransomware variant written in Rust that has been active since at least May 2024. Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts. Embargo is also reportedly a Ransomware as a Service (RaaS).", "spans": {"MALWARE: Embargo": [[0, 7], [94, 101], [311, 318], [530, 537]]}, "info": {"id": "mitre_mw_0677", "source": "mitre_attack", "mitre_id": "S1247", "name": "Embargo", "type": "malware"}} | |
| {"text": "Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms.", "spans": {"SYSTEM: Docker": [[204, 210]], "TOOL: ngrok": [[156, 161]], "MALWARE: Doki": [[0, 4], [118, 122]]}, "info": {"id": "mitre_mw_0678", "source": "mitre_attack", "mitre_id": "S0600", "name": "Doki", "type": "malware"}} | |
| {"text": "MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords.", "spans": {"MALWARE: MESSAGETAP": [[0, 10]], "THREAT_ACTOR: APT41": [[55, 60]]}, "info": {"id": "mitre_mw_0679", "source": "mitre_attack", "mitre_id": "S0443", "name": "MESSAGETAP", "type": "malware"}} | |
| {"text": "TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.", "spans": {"THREAT_ACTOR: BlackTech": [[61, 70]], "MALWARE: TSCookie": [[0, 8], [111, 119]], "MALWARE: PLEAD": [[144, 149]]}, "info": {"id": "mitre_mw_0680", "source": "mitre_attack", "mitre_id": "S0436", "name": "TSCookie", "type": "malware"}} | |
| {"text": "RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers.", "spans": {"MALWARE: RGDoor": [[0, 6], [98, 104], [197, 203]], "SYSTEM: IIS": [[53, 56], [244, 247]]}, "info": {"id": "mitre_mw_0681", "source": "mitre_attack", "mitre_id": "S0258", "name": "RGDoor", "type": "malware"}} | |
| {"text": "Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.", "spans": {"MALWARE: Gelsemium": [[183, 192]], "ORGANIZATION: Microsoft": [[46, 55]], "MALWARE: Chrommme": [[0, 8]]}, "info": {"id": "mitre_mw_0682", "source": "mitre_attack", "mitre_id": "S0667", "name": "Chrommme", "type": "malware"}} | |
| {"text": "RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince.", "spans": {"MALWARE: Brave Prince": [[139, 151]], "MALWARE: Gold Dragon": [[123, 134]], "MALWARE: RunningRAT": [[0, 10]]}, "info": {"id": "mitre_mw_0683", "source": "mitre_attack", "mitre_id": "S0253", "name": "RunningRAT", "type": "malware"}} | |
| {"text": "CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.", "spans": {"MALWARE: CORESHELL": [[0, 9], [120, 129]], "MALWARE: SOURFACE": [[89, 97]], "THREAT_ACTOR: APT28": [[34, 39]]}, "info": {"id": "mitre_mw_0684", "source": "mitre_attack", "mitre_id": "S0137", "name": "CORESHELL", "type": "malware"}} | |
| {"text": "BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, BlackByte 2.0 Ransomware does not have a common key for victim decryption. BlackByte 2.0 Ransomware remains uniquely associated with BlackByte operations.", "spans": {"MALWARE: BlackByte 2.0 Ransomware": [[0, 24], [97, 121], [172, 196]], "MALWARE: BlackByte Ransomware": [[46, 66], [75, 95]], "THREAT_ACTOR: BlackByte": [[230, 239]]}, "info": {"id": "mitre_mw_0685", "source": "mitre_attack", "mitre_id": "S1181", "name": "BlackByte 2.0 Ransomware", "type": "malware"}} | |
| {"text": "SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.", "spans": {"THREAT_ACTOR: MuddyWater": [[38, 48]], "MALWARE: SHARPSTATS": [[0, 10]], "SYSTEM: .NET": [[16, 20]]}, "info": {"id": "mitre_mw_0686", "source": "mitre_attack", "mitre_id": "S0450", "name": "SHARPSTATS", "type": "malware"}} | |
| {"text": "FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.", "spans": {"MALWARE: FunnyDream": [[0, 10], [75, 85]]}, "info": {"id": "mitre_mw_0687", "source": "mitre_attack", "mitre_id": "S1044", "name": "FunnyDream", "type": "malware"}} | |
| {"text": "JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.", "spans": {"MALWARE: JCry": [[0, 4]]}, "info": {"id": "mitre_mw_0688", "source": "mitre_attack", "mitre_id": "S0389", "name": "JCry", "type": "malware"}} | |
| {"text": "QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.", "spans": {"THREAT_ACTOR: Gamaredon Group": [[59, 74]], "MALWARE: QuietSieve": [[0, 10]]}, "info": {"id": "mitre_mw_0689", "source": "mitre_attack", "mitre_id": "S0686", "name": "QuietSieve", "type": "malware"}} | |
| {"text": "KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.", "spans": {"THREAT_ACTOR: LazyScripter": [[43, 55]], "TOOL: QuasarRAT": [[116, 125]], "MALWARE: KOCTOPUS": [[0, 8], [127, 135]], "MALWARE: Octopus": [[77, 84]], "TOOL: Koadic": [[89, 95]]}, "info": {"id": "mitre_mw_0690", "source": "mitre_attack", "mitre_id": "S0669", "name": "KOCTOPUS", "type": "malware"}} | |
| {"text": "SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea.", "spans": {"MALWARE: SLOWDRIFT": [[0, 9]], "THREAT_ACTOR: APT37": [[32, 37]]}, "info": {"id": "mitre_mw_0691", "source": "mitre_attack", "mitre_id": "S0218", "name": "SLOWDRIFT", "type": "malware"}} | |
| {"text": "Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016.", "spans": {"MALWARE: Calisto": [[0, 7], [76, 83]], "SYSTEM: macOS": [[13, 18]]}, "info": {"id": "mitre_mw_0692", "source": "mitre_attack", "mitre_id": "S0274", "name": "Calisto", "type": "malware"}} | |
| {"text": "CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has been used as a downloader to install SYSCON.", "spans": {"TOOL: CARROTBALL": [[0, 10], [82, 92]], "MALWARE: SYSCON": [[134, 140]], "SYSTEM: FTP": [[17, 20]]}, "info": {"id": "mitre_tl_0000", "source": "mitre_attack", "mitre_id": "S0465", "name": "CARROTBALL", "type": "tool"}} | |
| {"text": "AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.", "spans": {"TOOL: AsyncRAT": [[0, 8]]}, "info": {"id": "mitre_tl_0001", "source": "mitre_attack", "mitre_id": "S1087", "name": "AsyncRAT", "type": "tool"}} | |
| {"text": "AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.", "spans": {"SYSTEM: Active Directory": [[98, 114]], "TOOL: AADInternals": [[0, 12]], "SYSTEM: PowerShell": [[18, 28]], "SYSTEM: GitHub": [[150, 156]]}, "info": {"id": "mitre_tl_0002", "source": "mitre_attack", "mitre_id": "S0677", "name": "AADInternals", "type": "tool"}} | |
| {"text": "Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.", "spans": {"TOOL: Remcos": [[0, 6], [133, 139]]}, "info": {"id": "mitre_tl_0003", "source": "mitre_attack", "mitre_id": "S0332", "name": "Remcos", "type": "tool"}} | |
| {"text": "RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.", "spans": {"TOOL: RemoteUtilities": [[0, 15]], "THREAT_ACTOR: MuddyWater": [[81, 91]]}, "info": {"id": "mitre_tl_0004", "source": "mitre_attack", "mitre_id": "S0592", "name": "RemoteUtilities", "type": "tool"}} | |
| {"text": "Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is designed to \"plug-n-play\" with various agents and communication channels. Deployed Mythic C2 servers have been observed as part of potentially malicious infrastructure.", "spans": {"TOOL: Mythic": [[0, 6], [89, 95], [182, 188]]}, "info": {"id": "mitre_tl_0005", "source": "mitre_attack", "mitre_id": "S0699", "name": "Mythic", "type": "tool"}} | |
| {"text": "netsh is a scripting utility used to interact with networking components on local or remote systems.", "spans": {"TOOL: netsh": [[0, 5]]}, "info": {"id": "mitre_tl_0006", "source": "mitre_attack", "mitre_id": "S0108", "name": "netsh", "type": "tool"}} | |
| {"text": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.", "spans": {"TOOL: ifconfig": [[0, 8]]}, "info": {"id": "mitre_tl_0007", "source": "mitre_attack", "mitre_id": "S0101", "name": "ifconfig", "type": "tool"}} | |
| {"text": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.", "spans": {"TOOL: Pass-The-Hash Toolkit": [[0, 21]]}, "info": {"id": "mitre_tl_0008", "source": "mitre_attack", "mitre_id": "S0122", "name": "Pass-The-Hash Toolkit", "type": "tool"}} | |
| {"text": "sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws.", "spans": {"TOOL: sqlmap": [[0, 6]]}, "info": {"id": "mitre_tl_0009", "source": "mitre_attack", "mitre_id": "S0225", "name": "sqlmap", "type": "tool"}} | |
| {"text": "SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools.", "spans": {"ORGANIZATION: Microsoft": [[109, 118]], "TOOL: SDelete": [[0, 7]]}, "info": {"id": "mitre_tl_0010", "source": "mitre_attack", "mitre_id": "S0195", "name": "SDelete", "type": "tool"}} | |
| {"text": "Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.", "spans": {"TOOL: Rubeus": [[0, 6]]}, "info": {"id": "mitre_tl_0011", "source": "mitre_attack", "mitre_id": "S1071", "name": "Rubeus", "type": "tool"}} | |
| {"text": "Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.", "spans": {"TOOL: Wevtutil": [[0, 8]], "SYSTEM: Windows": [[14, 21]]}, "info": {"id": "mitre_tl_0012", "source": "mitre_attack", "mitre_id": "S0645", "name": "Wevtutil", "type": "tool"}} | |
| {"text": "ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.", "spans": {"TOOL: ftp": [[0, 3]], "SYSTEM: FTP": [[116, 119]]}, "info": {"id": "mitre_tl_0013", "source": "mitre_attack", "mitre_id": "S0095", "name": "ftp", "type": "tool"}} | |
| {"text": "Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts.", "spans": {"TOOL: Forfiles": [[0, 8], [220, 228]], "SYSTEM: Windows": [[14, 21]]}, "info": {"id": "mitre_tl_0014", "source": "mitre_attack", "mitre_id": "S0193", "name": "Forfiles", "type": "tool"}} | |
| {"text": "Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service account tokens for lateral movement and privilege escalation. The tool is written in GoLang and publicly available on GitHub.", "spans": {"SYSTEM: Kubernetes": [[32, 42]], "TOOL: Peirates": [[0, 8]], "SYSTEM: GitHub": [[218, 224]]}, "info": {"id": "mitre_tl_0015", "source": "mitre_attack", "mitre_id": "S0683", "name": "Peirates", "type": "tool"}} | |
| {"text": "Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.", "spans": {"SYSTEM: Windows": [[12, 19]], "TOOL: Nltest": [[0, 6]]}, "info": {"id": "mitre_tl_0016", "source": "mitre_attack", "mitre_id": "S0359", "name": "Nltest", "type": "tool"}} | |
| {"text": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.", "spans": {"TOOL: gsecdump": [[0, 8]], "SYSTEM: Windows": [[103, 110]]}, "info": {"id": "mitre_tl_0017", "source": "mitre_attack", "mitre_id": "S0008", "name": "gsecdump", "type": "tool"}} | |
| {"text": "BITSAdmin is a command line tool used to create and manage BITS Jobs.", "spans": {"TOOL: BITSAdmin": [[0, 9]]}, "info": {"id": "mitre_tl_0018", "source": "mitre_attack", "mitre_id": "S0190", "name": "BITSAdmin", "type": "tool"}} | |
| {"text": "MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.", "spans": {"THREAT_ACTOR: Dragonfly": [[83, 92]], "TOOL: MCMD": [[0, 4]]}, "info": {"id": "mitre_tl_0019", "source": "mitre_attack", "mitre_id": "S0500", "name": "MCMD", "type": "tool"}} | |
| {"text": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.", "spans": {"TOOL: Tasklist": [[4, 12]], "SYSTEM: Windows": [[177, 184]]}, "info": {"id": "mitre_tl_0020", "source": "mitre_attack", "mitre_id": "S0057", "name": "Tasklist", "type": "tool"}} | |
| {"text": "Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed \"Grunts\" that communicate back to the controller.", "spans": {"TOOL: Covenant": [[0, 8], [218, 226]], "THREAT_ACTOR: HAFNIUM": [[191, 198]], "SYSTEM: .NET": [[70, 74]]}, "info": {"id": "mitre_tl_0021", "source": "mitre_attack", "mitre_id": "S1155", "name": "Covenant", "type": "tool"}} | |
| {"text": "PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.", "spans": {"SYSTEM: PowerShell": [[223, 233]], "SYSTEM: Windows": [[275, 282]], "TOOL: PoshC2": [[0, 6], [244, 250]], "SYSTEM: GitHub": [[109, 115]], "SYSTEM: Python": [[181, 187], [321, 327]], "SYSTEM: macOS": [[346, 351]], "SYSTEM: Linux": [[340, 345]]}, "info": {"id": "mitre_tl_0022", "source": "mitre_attack", "mitre_id": "S0378", "name": "PoshC2", "type": "tool"}} | |
| {"text": "SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.", "spans": {"TOOL: SILENTTRINITY": [[0, 13], [171, 184]], "SYSTEM: Python": [[107, 113]]}, "info": {"id": "mitre_tl_0023", "source": "mitre_attack", "mitre_id": "S0692", "name": "SILENTTRINITY", "type": "tool"}} | |
| {"text": "Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.", "spans": {"TOOL: Impacket": [[0, 8], [137, 145]], "SYSTEM: Windows": [[222, 229]], "SYSTEM: Python": [[60, 66]]}, "info": {"id": "mitre_tl_0024", "source": "mitre_attack", "mitre_id": "S0357", "name": "Impacket", "type": "tool"}} | |
| {"text": "certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.", "spans": {"TOOL: certutil": [[0, 8]]}, "info": {"id": "mitre_tl_0025", "source": "mitre_attack", "mitre_id": "S0160", "name": "certutil", "type": "tool"}} | |
| {"text": "Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.", "spans": {"TOOL: Imminent Monitor": [[0, 16], [146, 162]]}, "info": {"id": "mitre_tl_0026", "source": "mitre_attack", "mitre_id": "S0434", "name": "Imminent Monitor", "type": "tool"}} | |
| {"text": "cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).", "spans": {"TOOL: cipher.exe": [[0, 10]], "ORGANIZATION: Microsoft": [[23, 32]]}, "info": {"id": "mitre_tl_0027", "source": "mitre_attack", "mitre_id": "S1205", "name": "cipher.exe", "type": "tool"}} | |
| {"text": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks.", "spans": {"TOOL: HTRAN": [[0, 5]]}, "info": {"id": "mitre_tl_0028", "source": "mitre_attack", "mitre_id": "S0040", "name": "HTRAN", "type": "tool"}} | |
| {"text": "MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms.", "spans": {"TOOL: MimiPenguin": [[0, 11]], "TOOL: Mimikatz": [[47, 55]], "SYSTEM: Linux": [[83, 88]]}, "info": {"id": "mitre_tl_0029", "source": "mitre_attack", "mitre_id": "S0179", "name": "MimiPenguin", "type": "tool"}} | |
| {"text": "Expand is a Windows utility used to expand one or more compressed CAB files. It has been used by BBSRAT to decompress a CAB file into executable content.", "spans": {"SYSTEM: Windows": [[12, 19]], "MALWARE: BBSRAT": [[97, 103]], "TOOL: Expand": [[0, 6]]}, "info": {"id": "mitre_tl_0030", "source": "mitre_attack", "mitre_id": "S0361", "name": "Expand", "type": "tool"}} | |
| {"text": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.", "spans": {"TOOL: Responder": [[0, 9]], "SYSTEM: HTTP": [[90, 94], [209, 213]], "SYSTEM: FTP": [[105, 108]], "SYSTEM: SMB": [[95, 98]]}, "info": {"id": "mitre_tl_0031", "source": "mitre_attack", "mitre_id": "S0174", "name": "Responder", "type": "tool"}} | |
| {"text": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.", "spans": {"SYSTEM: Microsoft Exchange": [[74, 92]], "TOOL: MailSniper": [[0, 10]]}, "info": {"id": "mitre_tl_0032", "source": "mitre_attack", "mitre_id": "S0413", "name": "MailSniper", "type": "tool"}} | |
| {"text": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. \n\nUtilities such as Reg are known to be used by persistent threats.", "spans": {"SYSTEM: Windows": [[9, 16], [51, 58]], "TOOL: Reg": [[0, 3], [181, 184]]}, "info": {"id": "mitre_tl_0033", "source": "mitre_attack", "mitre_id": "S0075", "name": "Reg", "type": "tool"}} | |
| {"text": "Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. Winexe is unique in that it is a GNU/Linux based client.", "spans": {"TOOL: Winexe": [[0, 6], [139, 145]], "TOOL: PsExec": [[53, 59]], "SYSTEM: Linux": [[176, 181]]}, "info": {"id": "mitre_tl_0034", "source": "mitre_attack", "mitre_id": "S0191", "name": "Winexe", "type": "tool"}} | |
| {"text": "Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, \"armory,\" for staging and downloading additional tools and payloads to the primary C2 framework.", "spans": {"TOOL: Sliver": [[0, 6], [105, 111]]}, "info": {"id": "mitre_tl_0035", "source": "mitre_attack", "mitre_id": "S0633", "name": "Sliver", "type": "tool"}} | |
| {"text": "Fgdump is a Windows password hash dumper.", "spans": {"SYSTEM: Windows": [[12, 19]], "TOOL: Fgdump": [[0, 6]]}, "info": {"id": "mitre_tl_0036", "source": "mitre_attack", "mitre_id": "S0120", "name": "Fgdump", "type": "tool"}} | |
| {"text": "CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky.", "spans": {"TOOL: CSPY Downloader": [[0, 15]], "THREAT_ACTOR: Kimsuky": [[94, 101]]}, "info": {"id": "mitre_tl_0037", "source": "mitre_attack", "mitre_id": "S0527", "name": "CSPY Downloader", "type": "tool"}} | |
| {"text": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.", "spans": {"SYSTEM: Active Directory": [[60, 76]], "ORGANIZATION: Microsoft": [[238, 247]], "TOOL: dsquery": [[0, 7]], "SYSTEM: Windows": [[158, 165]]}, "info": {"id": "mitre_tl_0038", "source": "mitre_attack", "mitre_id": "S0105", "name": "dsquery", "type": "tool"}} | |
| {"text": "Donut is an open source framework used to generate position-independent shellcode. Donut generated code has been used by multiple threat actors to inject and load malicious payloads into memory.", "spans": {"TOOL: Donut": [[0, 5], [83, 88]]}, "info": {"id": "mitre_tl_0039", "source": "mitre_attack", "mitre_id": "S0695", "name": "Donut", "type": "tool"}} | |
| {"text": "NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.", "spans": {"SYSTEM: Windows": [[120, 127]], "TOOL: NPPSPY": [[0, 6], [174, 180]]}, "info": {"id": "mitre_tl_0040", "source": "mitre_attack", "mitre_id": "S1131", "name": "NPPSPY", "type": "tool"}} | |
| {"text": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.", "spans": {"TOOL: PsExec": [[47, 53]], "TOOL: xCmd": [[0, 4]]}, "info": {"id": "mitre_tl_0041", "source": "mitre_attack", "mitre_id": "S0123", "name": "xCmd", "type": "tool"}} | |
| {"text": "pwdump is a credential dumper.", "spans": {"TOOL: pwdump": [[0, 6]]}, "info": {"id": "mitre_tl_0042", "source": "mitre_attack", "mitre_id": "S0006", "name": "pwdump", "type": "tool"}} | |
| {"text": "ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.", "spans": {"TOOL: ShimRatReporter": [[0, 15], [280, 295]], "MALWARE: ShimRat": [[195, 202]], "THREAT_ACTOR: Mofang": [[62, 68]]}, "info": {"id": "mitre_tl_0043", "source": "mitre_attack", "mitre_id": "S0445", "name": "ShimRatReporter", "type": "tool"}} | |
| {"text": "PcShare is an open source remote access tool that has been modified and used by Chinese threat actors, most notably during the FunnyDream campaign since late 2018.", "spans": {"MALWARE: FunnyDream": [[127, 137]], "TOOL: PcShare": [[0, 7]]}, "info": {"id": "mitre_tl_0044", "source": "mitre_attack", "mitre_id": "S1050", "name": "PcShare", "type": "tool"}} | |
| {"text": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.", "spans": {"TOOL: Ping": [[0, 4]]}, "info": {"id": "mitre_tl_0045", "source": "mitre_attack", "mitre_id": "S0097", "name": "Ping", "type": "tool"}} | |
| {"text": "Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords.", "spans": {"TOOL: Invoke-PSImage": [[0, 14]], "SYSTEM: PowerShell": [[23, 33], [217, 227], [402, 412]], "TOOL: Mimikatz": [[249, 257]]}, "info": {"id": "mitre_tl_0046", "source": "mitre_attack", "mitre_id": "S0231", "name": "Invoke-PSImage", "type": "tool"}} | |
| {"text": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.", "spans": {"TOOL: Systeminfo": [[0, 10]], "SYSTEM: Windows": [[16, 23]]}, "info": {"id": "mitre_tl_0047", "source": "mitre_attack", "mitre_id": "S0096", "name": "Systeminfo", "type": "tool"}} | |
| {"text": "meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.", "spans": {"SYSTEM: HTTPS": [[67, 72]], "TOOL: meek": [[0, 4]], "TOOL: Tor": [[23, 26], [47, 50]]}, "info": {"id": "mitre_tl_0048", "source": "mitre_attack", "mitre_id": "S0175", "name": "meek", "type": "tool"}} | |
| {"text": "Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.", "spans": {"SYSTEM: Google Drive": [[96, 108]], "SYSTEM: Dropbox": [[87, 94]], "TOOL: Rclone": [[0, 6], [131, 137]], "MALWARE: Conti": [[225, 230]]}, "info": {"id": "mitre_tl_0049", "source": "mitre_attack", "mitre_id": "S1040", "name": "Rclone", "type": "tool"}} | |
| {"text": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.", "spans": {"TOOL: schtasks": [[0, 8]], "SYSTEM: Windows": [[67, 74]]}, "info": {"id": "mitre_tl_0050", "source": "mitre_attack", "mitre_id": "S0111", "name": "schtasks", "type": "tool"}} | |
| {"text": "IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.", "spans": {"TOOL: IronNetInjector": [[0, 15]], "MALWARE: ComRAT": [[176, 182]], "SYSTEM: Python": [[84, 90], [109, 115]], "THREAT_ACTOR: Turla": [[21, 26]], "SYSTEM: .NET": [[123, 127]]}, "info": {"id": "mitre_tl_0051", "source": "mitre_attack", "mitre_id": "S0581", "name": "IronNetInjector", "type": "tool"}} | |
| {"text": "Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.", "spans": {"THREAT_ACTOR: MuddyWater": [[59, 69]], "TOOL: Out1": [[0, 4]]}, "info": {"id": "mitre_tl_0052", "source": "mitre_attack", "mitre_id": "S0594", "name": "Out1", "type": "tool"}} | |
| {"text": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.", "spans": {"SYSTEM: GitHub": [[107, 113]], "SYSTEM: Python": [[74, 80]], "TOOL: Pacu": [[0, 4]]}, "info": {"id": "mitre_tl_0053", "source": "mitre_attack", "mitre_id": "S1091", "name": "Pacu", "type": "tool"}} | |
| {"text": "spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET.", "spans": {"TOOL: spwebmember": [[0, 11]], "SYSTEM: SharePoint": [[27, 37]], "ORGANIZATION: Microsoft": [[17, 26]], "SYSTEM: .NET": [[83, 87]]}, "info": {"id": "mitre_tl_0054", "source": "mitre_attack", "mitre_id": "S0227", "name": "spwebmember", "type": "tool"}} | |
| {"text": "esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.", "spans": {"TOOL: esentutl": [[0, 8]], "SYSTEM: Windows": [[73, 80]]}, "info": {"id": "mitre_tl_0055", "source": "mitre_attack", "mitre_id": "S0404", "name": "esentutl", "type": "tool"}} | |
| {"text": "Windows Credential Editor is a password dumping tool.", "spans": {"TOOL: Windows Credential Editor": [[0, 25]]}, "info": {"id": "mitre_tl_0056", "source": "mitre_attack", "mitre_id": "S0005", "name": "Windows Credential Editor", "type": "tool"}} | |
| {"text": "LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. LaZagne is publicly available on GitHub.", "spans": {"TOOL: LaZagne": [[0, 7], [181, 188]], "SYSTEM: Windows": [[114, 121], [164, 171]], "SYSTEM: GitHub": [[214, 220]], "SYSTEM: Linux": [[123, 128]]}, "info": {"id": "mitre_tl_0057", "source": "mitre_attack", "mitre_id": "S0349", "name": "LaZagne", "type": "tool"}} | |
| {"text": "QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. QuasarRAT is developed in the C# language.", "spans": {"TOOL: QuasarRAT": [[0, 9], [112, 121]], "SYSTEM: GitHub": [[84, 90]]}, "info": {"id": "mitre_tl_0058", "source": "mitre_attack", "mitre_id": "S0262", "name": "QuasarRAT", "type": "tool"}} | |
| {"text": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.", "spans": {"TOOL: netstat": [[0, 7]]}, "info": {"id": "mitre_tl_0059", "source": "mitre_attack", "mitre_id": "S0104", "name": "netstat", "type": "tool"}} | |
| {"text": "Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. Brute Ratel C4 was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.", "spans": {"TOOL: Brute Ratel C4": [[0, 14], [120, 134], [427, 441]]}, "info": {"id": "mitre_tl_0060", "source": "mitre_attack", "mitre_id": "S1063", "name": "Brute Ratel C4", "type": "tool"}} | |
| {"text": "NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.", "spans": {"TOOL: NBTscan": [[0, 7]]}, "info": {"id": "mitre_tl_0061", "source": "mitre_attack", "mitre_id": "S0590", "name": "NBTscan", "type": "tool"}} | |
| {"text": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.", "spans": {"TOOL: Mimikatz": [[0, 8]], "SYSTEM: Windows": [[63, 70]]}, "info": {"id": "mitre_tl_0062", "source": "mitre_attack", "mitre_id": "S0002", "name": "Mimikatz", "type": "tool"}} | |
| {"text": "CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.", "spans": {"SYSTEM: Active Directory": [[147, 163]], "TOOL: CrackMapExec": [[0, 12], [125, 137]], "SYSTEM: Python": [[63, 69]]}, "info": {"id": "mitre_tl_0063", "source": "mitre_attack", "mitre_id": "S0488", "name": "CrackMapExec", "type": "tool"}} | |
| {"text": "AdFind is a free command-line query tool that can be used for gathering information from Active Directory.", "spans": {"SYSTEM: Active Directory": [[89, 105]], "TOOL: AdFind": [[0, 6]]}, "info": {"id": "mitre_tl_0064", "source": "mitre_attack", "mitre_id": "S0552", "name": "AdFind", "type": "tool"}} | |
| {"text": "BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.", "spans": {"SYSTEM: Active Directory": [[17, 33]], "TOOL: BloodHound": [[0, 10]]}, "info": {"id": "mitre_tl_0065", "source": "mitre_attack", "mitre_id": "S0521", "name": "BloodHound", "type": "tool"}} | |
| {"text": "Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). Pupy is publicly available on GitHub.", "spans": {"SYSTEM: PowerShell": [[231, 241]], "SYSTEM: Windows": [[40, 47], [205, 212]], "SYSTEM: Android": [[61, 68]], "SYSTEM: GitHub": [[324, 330]], "SYSTEM: Python": [[137, 143], [218, 224]], "SYSTEM: Linux": [[49, 54], [257, 262]], "TOOL: Pupy": [[0, 4], [294, 298]]}, "info": {"id": "mitre_tl_0066", "source": "mitre_attack", "mitre_id": "S0192", "name": "Pupy", "type": "tool"}} | |
| {"text": "attrib is a Windows utility used to display, set or remove attributes assigned to files or directories.", "spans": {"SYSTEM: Windows": [[12, 19]], "TOOL: attrib": [[0, 6], [59, 65]]}, "info": {"id": "mitre_tl_0067", "source": "mitre_attack", "mitre_id": "S1176", "name": "attrib", "type": "tool"}} | |
| {"text": "Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache.", "spans": {"TOOL: Arp": [[0, 3]]}, "info": {"id": "mitre_tl_0068", "source": "mitre_attack", "mitre_id": "S0099", "name": "Arp", "type": "tool"}} | |
| {"text": "ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.", "spans": {"SYSTEM: Active Directory": [[47, 63]], "TOOL: ROADTools": [[0, 9]], "SYSTEM: GitHub": [[134, 140]], "SYSTEM: Python": [[101, 107]]}, "info": {"id": "mitre_tl_0069", "source": "mitre_attack", "mitre_id": "S0684", "name": "ROADTools", "type": "tool"}} | |
| {"text": "route can be used to find or change information within the local system IP routing table.", "spans": {"TOOL: route": [[0, 5]]}, "info": {"id": "mitre_tl_0070", "source": "mitre_attack", "mitre_id": "S0103", "name": "route", "type": "tool"}} | |
| {"text": "Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of Ruler have also released a defensive tool, NotRuler, to detect its usage.", "spans": {"SYSTEM: Microsoft Exchange": [[25, 43]], "SYSTEM: GitHub": [[82, 88]], "TOOL: Ruler": [[0, 5], [152, 157], [198, 203]]}, "info": {"id": "mitre_tl_0071", "source": "mitre_attack", "mitre_id": "S0358", "name": "Ruler", "type": "tool"}} | |
| {"text": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. \n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir ), deleting files (e.g., del ), and copying files (e.g., copy ).", "spans": {"SYSTEM: Windows": [[11, 18]], "TOOL: cmd": [[0, 3]]}, "info": {"id": "mitre_tl_0072", "source": "mitre_attack", "mitre_id": "S0106", "name": "cmd", "type": "tool"}} | |
| {"text": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. \n\nNet has a great deal of functionality, much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", "spans": {"TOOL: net.exe": [[483, 490]], "SYSTEM: Windows": [[38, 45], [343, 350]], "MALWARE: Disco": [[303, 308]], "TOOL: Net": [[4, 7], [169, 172]], "SYSTEM: SMB": [[339, 342]]}, "info": {"id": "mitre_tl_0073", "source": "mitre_attack", "mitre_id": "S0039", "name": "Net", "type": "tool"}} | |
| {"text": "ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.", "spans": {"THREAT_ACTOR: GOLD SOUTHFIELD": [[136, 151]], "TOOL: ConnectWise": [[0, 11]], "THREAT_ACTOR: MuddyWater": [[121, 131]]}, "info": {"id": "mitre_tl_0074", "source": "mitre_attack", "mitre_id": "S0591", "name": "ConnectWise", "type": "tool"}} | |
| {"text": "Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries.", "spans": {"TOOL: Havij": [[0, 5], [96, 101]]}, "info": {"id": "mitre_tl_0075", "source": "mitre_attack", "mitre_id": "S0224", "name": "Havij", "type": "tool"}} | |
| {"text": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.", "spans": {"ORGANIZATION: Microsoft": [[17, 26]], "TOOL: PsExec": [[0, 6]]}, "info": {"id": "mitre_tl_0076", "source": "mitre_attack", "mitre_id": "S0029", "name": "PsExec", "type": "tool"}} | |
| {"text": "Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.", "spans": {"SYSTEM: Windows": [[12, 19], [228, 235]], "TOOL: Koadic": [[0, 6], [115, 121]], "SYSTEM: GitHub": [[107, 113]]}, "info": {"id": "mitre_tl_0077", "source": "mitre_attack", "mitre_id": "S0250", "name": "Koadic", "type": "tool"}} | |
| {"text": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.", "spans": {"TOOL: nbtstat": [[0, 7]]}, "info": {"id": "mitre_tl_0078", "source": "mitre_attack", "mitre_id": "S0102", "name": "nbtstat", "type": "tool"}} | |
| {"text": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.", "spans": {"SYSTEM: Windows": [[81, 88]], "TOOL: UACMe": [[0, 5]]}, "info": {"id": "mitre_tl_0079", "source": "mitre_attack", "mitre_id": "S0116", "name": "UACMe", "type": "tool"}} | |
| {"text": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.", "spans": {"TOOL: ipconfig": [[0, 8]], "SYSTEM: Windows": [[14, 21]], "SYSTEM: DNS": [[92, 95]]}, "info": {"id": "mitre_tl_0080", "source": "mitre_attack", "mitre_id": "S0100", "name": "ipconfig", "type": "tool"}} | |
| {"text": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination.", "spans": {"TOOL: Tor": [[0, 3], [212, 215]]}, "info": {"id": "mitre_tl_0081", "source": "mitre_attack", "mitre_id": "S0183", "name": "Tor", "type": "tool"}} | |
| {"text": "Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.", "spans": {"SYSTEM: PowerShell": [[236, 246]], "SYSTEM: Windows": [[251, 258]], "TOOL: Empire": [[0, 6], [287, 293]], "SYSTEM: GitHub": [[125, 131]], "SYSTEM: Python": [[179, 185], [263, 269]], "SYSTEM: macOS": [[280, 285]], "SYSTEM: Linux": [[274, 279]]}, "info": {"id": "mitre_tl_0082", "source": "mitre_attack", "mitre_id": "S0363", "name": "Empire", "type": "tool"}} | |
| {"text": "ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.", "spans": {"TOOL: ngrok": [[0, 5], [160, 165]]}, "info": {"id": "mitre_tl_0083", "source": "mitre_attack", "mitre_id": "S0508", "name": "ngrok", "type": "tool"}} | |
| {"text": "Cachedump is a publicly-available tool that program extracts cached password hashes from a system’s registry.", "spans": {"TOOL: Cachedump": [[0, 9]]}, "info": {"id": "mitre_tl_0084", "source": "mitre_attack", "mitre_id": "S0119", "name": "Cachedump", "type": "tool"}} | |
| {"text": "RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.", "spans": {"TOOL: RawDisk": [[0, 7]], "SYSTEM: Windows": [[320, 327]]}, "info": {"id": "mitre_tl_0085", "source": "mitre_attack", "mitre_id": "S0364", "name": "RawDisk", "type": "tool"}} | |
| {"text": "PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration.", "spans": {"TOOL: PowerSploit": [[0, 11]], "SYSTEM: PowerShell": [[73, 83]]}, "info": {"id": "mitre_tl_0086", "source": "mitre_attack", "mitre_id": "S0194", "name": "PowerSploit", "type": "tool"}} | |
| {"text": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.", "spans": {"TOOL: Lslsass": [[0, 7]]}, "info": {"id": "mitre_tl_0088", "source": "mitre_attack", "mitre_id": "S0121", "name": "Lslsass", "type": "tool"}} | |
| {"text": "Quick Assist is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. Quick Assist allows for remote screen sharing and, with end user approval, remote control and command execution on the enabling device.", "spans": {"TOOL: Quick Assist": [[0, 12], [112, 124]], "ORGANIZATION: Microsoft": [[55, 64]], "SYSTEM: Windows": [[65, 72]], "SYSTEM: macOS": [[85, 90]]}, "info": {"id": "mitre_tl_0089", "source": "mitre_attack", "mitre_id": "S1209", "name": "Quick Assist", "type": "tool"}} | |
| {"text": "FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.", "spans": {"SYSTEM: HTTP": [[246, 250]], "TOOL: FRP": [[0, 3], [187, 190]]}, "info": {"id": "mitre_tl_0090", "source": "mitre_attack", "mitre_id": "S1144", "name": "FRP", "type": "tool"}} | |