| {"text": "APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext and Banco de Chile ; some of their attacks have been destructive.\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.", "spans": {"ORGANIZATION: Reconnaissance General Bureau": [[131, 160]], "ORGANIZATION: Bank of Bangladesh": [[384, 402]], "ORGANIZATION: Banco de Chile": [[489, 503]], "THREAT_ACTOR: Lazarus Group": [[722, 735]], "ORGANIZATION: Bancomext": [[475, 484]], "TOOL: attrib": [[113, 119]], "THREAT_ACTOR: APT38": [[0, 5], [190, 195], [423, 428]], "ORGANIZATION: SWIFT": [[275, 280]]}, "info": {"id": "mitre_is_0005", "source": "mitre_attack", "mitre_id": "G0082", "name": "APT38", "type": "intrusion-set"}} |
| {"text": "Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.", "spans": {"ORGANIZATION: Federal Security Service": [[77, 101]], "MALWARE: Uroburos": [[429, 437]], "TOOL: attrib": [[54, 60]], "THREAT_ACTOR: Turla": [[0, 5], [305, 310]], "ORGANIZATION: FSB": [[103, 106]]}, "info": {"id": "mitre_is_0007", "source": "mitre_attack", "mitre_id": "G0010", "name": "Turla", "type": "intrusion-set"}} |
| {"text": "APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.", "spans": {"THREAT_ACTOR: Deep Panda": [[320, 330]], "THREAT_ACTOR: APT19": [[0, 5], [310, 315]]}, "info": {"id": "mitre_is_0013", "source": "mitre_attack", "mitre_id": "G0073", "name": "APT19", "type": "intrusion-set"}} |
| {"text": "Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.", "spans": {"MALWARE: Playcrypt": [[78, 87]], "MALWARE: Play": [[0, 4], [233, 237]]}, "info": {"id": "mitre_is_0030", "source": "mitre_attack", "mitre_id": "G1040", "name": "Play", "type": "intrusion-set"}} |
| {"text": "INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.", "spans": {"MALWARE: INC Ransomware": [[93, 107]], "THREAT_ACTOR: INC Ransom": [[0, 10], [155, 165]]}, "info": {"id": "mitre_is_0035", "source": "mitre_attack", "mitre_id": "G1032", "name": "INC Ransom", "type": "intrusion-set"}} |
| {"text": "Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).", "spans": {"THREAT_ACTOR: Malteiro": [[0, 8], [244, 252]], "MALWARE: Mispadu": [[171, 178]]}, "info": {"id": "mitre_is_0056", "source": "mitre_attack", "mitre_id": "G1026", "name": "Malteiro", "type": "intrusion-set"}} |
| {"text": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to Deep Panda. This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same.", "spans": {"THREAT_ACTOR: KungFu Kittens": [[278, 292]], "THREAT_ACTOR: PinkPanther": [[298, 309]], "THREAT_ACTOR: Deep Panda": [[0, 10], [214, 224], [311, 321], [451, 461]], "THREAT_ACTOR: Shell Crew": [[254, 264]], "THREAT_ACTOR: WebMasters": [[266, 276]], "THREAT_ACTOR: Black Vine": [[350, 360]], "TOOL: attrib": [[200, 206], [374, 380]], "THREAT_ACTOR: APT19": [[466, 471]]}, "info": {"id": "mitre_is_0057", "source": "mitre_attack", "mitre_id": "G0009", "name": "Deep Panda", "type": "intrusion-set"}} |
| {"text": "Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. \nScattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. \nScattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365.", "spans": {"THREAT_ACTOR: Scattered Spider": [[0, 16], [391, 407], [727, 743]]}, "info": {"id": "mitre_is_0070", "source": "mitre_attack", "mitre_id": "G1015", "name": "Scattered Spider", "type": "intrusion-set"}} |
| {"text": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).", "spans": {"THREAT_ACTOR: Threat Group 2889": [[192, 209]], "THREAT_ACTOR: Cleaver": [[0, 7], [122, 129], [171, 178]], "THREAT_ACTOR: TG-2889": [[211, 218]], "TOOL: attrib": [[40, 46]]}, "info": {"id": "mitre_is_0077", "source": "mitre_attack", "mitre_id": "G0003", "name": "Cleaver", "type": "intrusion-set"}} |
| {"text": "Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally.", "spans": {"THREAT_ACTOR: Medusa Group": [[0, 12], [367, 379], [710, 722]]}, "info": {"id": "mitre_is_0079", "source": "mitre_attack", "mitre_id": "G1051", "name": "Medusa Group", "type": "intrusion-set"}} |
| {"text": "TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.", "spans": {"THREAT_ACTOR: TA551": [[0, 5]]}, "info": {"id": "mitre_is_0114", "source": "mitre_attack", "mitre_id": "G0127", "name": "TA551", "type": "intrusion-set"}} |
| {"text": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.", "spans": {"ORGANIZATION: United Nations": [[151, 165]], "THREAT_ACTOR: BlackOasis": [[0, 10], [335, 345]], "THREAT_ACTOR: NEODYMIUM": [[287, 296]], "ORGANIZATION: Microsoft": [[274, 283]]}, "info": {"id": "mitre_is_0130", "source": "mitre_attack", "mitre_id": "G0063", "name": "BlackOasis", "type": "intrusion-set"}} |
| {"text": "Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam.", "spans": {"THREAT_ACTOR: Mustang Panda": [[0, 13], [117, 130], [228, 241]]}, "info": {"id": "mitre_is_0135", "source": "mitre_attack", "mitre_id": "G0129", "name": "Mustang Panda", "type": "intrusion-set"}} |
| {"text": "NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.", "spans": {"THREAT_ACTOR: PROMETHIUM": [[182, 192]], "THREAT_ACTOR: BlackOasis": [[297, 307]], "THREAT_ACTOR: NEODYMIUM": [[0, 9], [249, 258]]}, "info": {"id": "mitre_is_0136", "source": "mitre_attack", "mitre_id": "G0055", "name": "NEODYMIUM", "type": "intrusion-set"}} |
| {"text": "Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).", "spans": {"THREAT_ACTOR: Silent Librarian": [[0, 16], [185, 201]]}, "info": {"id": "mitre_is_0147", "source": "mitre_attack", "mitre_id": "G0122", "name": "Silent Librarian", "type": "intrusion-set"}} |
| {"text": "Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.\n\nNorth Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.", "spans": {"ORGANIZATION: Reconnaissance General Bureau": [[85, 114]], "THREAT_ACTOR: Lazarus Group": [[0, 13], [122, 135], [353, 366], [828, 841]], "TOOL: attrib": [[67, 73], [747, 753]], "MALWARE: Flame": [[427, 432]]}, "info": {"id": "mitre_is_0149", "source": "mitre_attack", "mitre_id": "G0032", "name": "Lazarus Group", "type": "intrusion-set"}} |
| {"text": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", "spans": {"MALWARE: PoisonIvy": [[317, 326]], "THREAT_ACTOR: DragonOK": [[0, 8], [147, 155]], "THREAT_ACTOR: Moafee": [[231, 237]], "MALWARE: PlugX": [[310, 315]]}, "info": {"id": "mitre_is_0167", "source": "mitre_attack", "mitre_id": "G0017", "name": "DragonOK", "type": "intrusion-set"}} |
| {"text": "Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.", "spans": {"THREAT_ACTOR: Elderwood": [[0, 9]], "MALWARE: Aurora": [[136, 142]], "ORGANIZATION: Google": [[100, 106]]}, "info": {"id": "mitre_is_0168", "source": "mitre_attack", "mitre_id": "G0066", "name": "Elderwood", "type": "intrusion-set"}} |
| {"text": "CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. It is tracked separately from the X-Agent for Android.", "spans": {"MALWARE: CHOPSTICK": [[0, 9]], "MALWARE: X-Agent": [[301, 308]], "SYSTEM: Windows": [[239, 246]], "SYSTEM: Android": [[313, 320]], "THREAT_ACTOR: APT28": [[59, 64]], "SYSTEM: Linux": [[251, 256]]}, "info": {"id": "mitre_mw_0004", "source": "mitre_attack", "mitre_id": "S0023", "name": "CHOPSTICK", "type": "malware"}} |
| {"text": "XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.", "spans": {"THREAT_ACTOR: Contagious Interview": [[282, 302]], "MALWARE: XORIndex Loader": [[0, 15], [144, 159], [193, 208], [304, 319]], "MALWARE: BeaverTail": [[124, 134]]}, "info": {"id": "mitre_mw_0014", "source": "mitre_attack", "mitre_id": "S1248", "name": "XORIndex Loader", "type": "malware"}} |
| {"text": "AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.", "spans": {"MALWARE: AppleSeed": [[0, 9]], "THREAT_ACTOR: Kimsuky": [[46, 53]]}, "info": {"id": "mitre_mw_0035", "source": "mitre_attack", "mitre_id": "S0622", "name": "AppleSeed", "type": "malware"}} |
| {"text": "PUBLOAD is a stager malware that has been observed installing itself in existing directories such as `C:\\Users\\Public` or creating new directories to stage the malware and its components. PUBLOAD malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2. PUBLOAD malware has previously been leveraged by China-affiliated actors identified as Mustang Panda. PUBLOAD is also known as “NoFive” and some public reporting identifies the loader component as CLAIMLOADER.", "spans": {"FILEPATH: C:\\Users\\Public": [[102, 117]], "THREAT_ACTOR: Mustang Panda": [[431, 444]], "MALWARE: CLAIMLOADER": [[541, 552]], "MALWARE: PUBLOAD": [[0, 7], [188, 195], [344, 351], [446, 453]]}, "info": {"id": "mitre_mw_0038", "source": "mitre_attack", "mitre_id": "S1228", "name": "PUBLOAD", "type": "malware"}} |
| {"text": "Nebulae Is a backdoor that has been used by Naikon since at least 2020.", "spans": {"MALWARE: Nebulae": [[0, 7]], "THREAT_ACTOR: Naikon": [[44, 50]]}, "info": {"id": "mitre_mw_0044", "source": "mitre_attack", "mitre_id": "S0630", "name": "Nebulae", "type": "malware"}} |
| {"text": "FruitFly is designed to spy on mac users .", "spans": {"MALWARE: FruitFly": [[0, 8]]}, "info": {"id": "mitre_mw_0047", "source": "mitre_attack", "mitre_id": "S0277", "name": "FruitFly", "type": "malware"}} |
| {"text": "SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe. \n\nIn October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as \"IAmTheKing\". ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as \"PowerPool\".", "spans": {"MALWARE: SLOTHFULMEDIA": [[0, 13], [383, 396], [498, 511]], "ORGANIZATION: Kaspersky": [[359, 368]], "ORGANIZATION: ESET": [[458, 462]]}, "info": {"id": "mitre_mw_0050", "source": "mitre_attack", "mitre_id": "S0533", "name": "SLOTHFULMEDIA", "type": "malware"}} |
| {"text": "RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD.", "spans": {"MALWARE: DRIFTWOOD": [[202, 211]], "MALWARE: FIENDCRY": [[179, 187]], "MALWARE: DUEBREW": [[189, 196]], "ORGANIZATION: FireEye": [[133, 140]], "MALWARE: RawPOS": [[0, 6], [149, 155]]}, "info": {"id": "mitre_mw_0097", "source": "mitre_attack", "mitre_id": "S0169", "name": "RawPOS", "type": "malware"}} |
| {"text": "Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.", "spans": {"THREAT_ACTOR: ToddyCat": [[58, 66], [211, 219]], "MALWARE: Samurai": [[434, 441]], "MALWARE: Ninja": [[0, 5], [137, 142], [294, 299]]}, "info": {"id": "mitre_mw_0111", "source": "mitre_attack", "mitre_id": "S1100", "name": "Ninja", "type": "malware"}} |
| {"text": "TONESHELL is a custom backdoor that has been used since at least Q1 2021. TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.", "spans": {"THREAT_ACTOR: Mustang Panda": [[165, 178]], "MALWARE: TONESHELL": [[0, 9], [74, 83]]}, "info": {"id": "mitre_mw_0122", "source": "mitre_attack", "mitre_id": "S1239", "name": "TONESHELL", "type": "malware"}} |
| {"text": "iKitten is a macOS exfiltration agent .", "spans": {"MALWARE: iKitten": [[0, 7]], "SYSTEM: macOS": [[13, 18]]}, "info": {"id": "mitre_mw_0146", "source": "mitre_attack", "mitre_id": "S0278", "name": "iKitten", "type": "malware"}} |
| {"text": "Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.", "spans": {"MALWARE: Heyoka Backdoor": [[0, 15]], "THREAT_ACTOR: Aoqin Dragon": [[111, 123]]}, "info": {"id": "mitre_mw_0167", "source": "mitre_attack", "mitre_id": "S1027", "name": "Heyoka Backdoor", "type": "malware"}} |
| {"text": "Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. Functionality similar to Skeleton Key is included as a module in Mimikatz.", "spans": {"MALWARE: Skeleton Key": [[0, 12], [155, 167]], "TOOL: Mimikatz": [[195, 203]]}, "info": {"id": "mitre_mw_0171", "source": "mitre_attack", "mitre_id": "S0007", "name": "Skeleton Key", "type": "malware"}} |
| {"text": "AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.", "spans": {"CVE_ID: CVE-2014-6352": [[164, 177]], "MALWARE: AutoIt backdoor": [[0, 15]], "THREAT_ACTOR: MONSOON": [[80, 87]], "SYSTEM: Windows": [[243, 250]]}, "info": {"id": "mitre_mw_0176", "source": "mitre_attack", "mitre_id": "S0129", "name": "AutoIt backdoor", "type": "malware"}} |
| {"text": "Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.", "spans": {"MALWARE: Royal": [[0, 5], [133, 138], [228, 233], [427, 432]], "MALWARE: Conti": [[437, 442]]}, "info": {"id": "mitre_mw_0181", "source": "mitre_attack", "mitre_id": "S1073", "name": "Royal", "type": "malware"}} |
| {"text": "Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX .", "spans": {"MALWARE: XAgentOSX": [[109, 118]], "MALWARE: Komplex": [[0, 7]], "THREAT_ACTOR: APT28": [[44, 49]]}, "info": {"id": "mitre_mw_0206", "source": "mitre_attack", "mitre_id": "S0162", "name": "Komplex", "type": "malware"}} |
| {"text": "IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.", "spans": {"MALWARE: IcedID": [[0, 6], [132, 138]], "MALWARE: Emotet": [[162, 168]]}, "info": {"id": "mitre_mw_0209", "source": "mitre_attack", "mitre_id": "S0483", "name": "IcedID", "type": "malware"}} |
| {"text": "STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized in 2025. STATICPLUGIN has utilized a valid certificate in order to bypass endpoint security protections. STATICPLUGIN masqueraded as legitimate software installer by using a custom TForm. STATICPLUGIN has been leveraged to deploy a loader that facilitates follow on malware.", "spans": {"THREAT_ACTOR: Mustang Panda": [[54, 67]], "MALWARE: STATICPLUGIN": [[0, 12], [109, 121], [205, 217], [288, 300]]}, "info": {"id": "mitre_mw_0214", "source": "mitre_attack", "mitre_id": "S1238", "name": "STATICPLUGIN", "type": "malware"}} |
| {"text": "Proton is a macOS backdoor focusing on data theft and credential access .", "spans": {"MALWARE: Proton": [[0, 6]], "SYSTEM: macOS": [[12, 17]]}, "info": {"id": "mitre_mw_0226", "source": "mitre_attack", "mitre_id": "S0279", "name": "Proton", "type": "malware"}} |
| {"text": "InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote access capabilities. InvisibleFerret consists of four modules: main, payload, browser, and AnyDesk. InvisibleFerret malware has been leveraged by North Korea-affiliated threat actors identified as DeceptiveDevelopment or Contagious Interview since 2023. InvisibleFerret has historically been introduced to the victim environment through the use of the BeaverTail malware.", "spans": {"THREAT_ACTOR: Contagious Interview": [[316, 336]], "THREAT_ACTOR: DeceptiveDevelopment": [[292, 312]], "MALWARE: InvisibleFerret": [[0, 15], [116, 131], [195, 210], [349, 364]], "MALWARE: BeaverTail": [[447, 457]]}, "info": {"id": "mitre_mw_0231", "source": "mitre_attack", "mitre_id": "S1245", "name": "InvisibleFerret", "type": "malware"}} |
| {"text": "HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.", "spans": {"THREAT_ACTOR: Contagious Interview": [[291, 311]], "MALWARE: HexEval Loader": [[0, 14], [143, 157], [192, 206], [313, 327]], "MALWARE: BeaverTail": [[123, 133]]}, "info": {"id": "mitre_mw_0250", "source": "mitre_attack", "mitre_id": "S1249", "name": "HexEval Loader", "type": "malware"}} |
| {"text": "Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. Apostle is written in .NET and shares various programming and functional overlaps with IPsec Helper.", "spans": {"MALWARE: IPsec Helper": [[187, 199]], "MALWARE: Apostle": [[0, 7], [100, 107]], "SYSTEM: .NET": [[122, 126]]}, "info": {"id": "mitre_mw_0268", "source": "mitre_attack", "mitre_id": "S1133", "name": "Apostle", "type": "malware"}} |
| {"text": "SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to aid in evading detection. SplatCloak has been deployed by SplatDropper and is known to be leveraged by Mustang Panda since 2025.", "spans": {"THREAT_ACTOR: Mustang Panda": [[204, 217]], "MALWARE: SplatDropper": [[159, 171]], "MALWARE: SplatCloak": [[0, 10], [127, 137]], "ORGANIZATION: Kaspersky": [[88, 97]], "SYSTEM: Windows": [[67, 74]]}, "info": {"id": "mitre_mw_0293", "source": "mitre_attack", "mitre_id": "S1234", "name": "SplatCloak", "type": "malware"}} |
| {"text": "VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi server and features command line execution, file transfer, and reverse shell capabilities. VIRTUALPIE has been in use since at least 2022 including by UNC3886 who installed it via malicious vSphere Installation Bundles (VIBs).", "spans": {"MALWARE: VIRTUALPIE": [[0, 10], [192, 202]], "THREAT_ACTOR: UNC3886": [[252, 259]], "SYSTEM: Python": [[48, 54]], "SYSTEM: VMware": [[89, 95]]}, "info": {"id": "mitre_mw_0324", "source": "mitre_attack", "mitre_id": "S1218", "name": "VIRTUALPIE", "type": "malware"}} |
| {"text": "CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024. CorKLOG is delivered through a RAR archive (e.g., src.rar), which contains two files: an executable (lcommute.exe) and the CorKLOG DLL (mscorsvc.dll). CorKLOG has established persistence on the system by creating services or with scheduled tasks.", "spans": {"THREAT_ACTOR: Mustang Panda": [[48, 61]], "MALWARE: CorKLOG": [[0, 7], [103, 110], [226, 233], [254, 261]]}, "info": {"id": "mitre_mw_0335", "source": "mitre_attack", "mitre_id": "S1235", "name": "CorKLOG", "type": "malware"}} |
| {"text": "DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.", "spans": {"THREAT_ACTOR: Moses Staff": [[51, 62], [141, 152]], "MALWARE: DCSrv": [[0, 5], [101, 106]]}, "info": {"id": "mitre_mw_0354", "source": "mitre_attack", "mitre_id": "S1033", "name": "DCSrv", "type": "malware"}} |
| {"text": "Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. The group using this malware has also been referred to as Sykipot.", "spans": {"MALWARE: Sykipot": [[0, 7], [142, 149], [240, 247]]}, "info": {"id": "mitre_mw_0386", "source": "mitre_attack", "mitre_id": "S0018", "name": "Sykipot", "type": "malware"}} |
| {"text": "BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail is capable of stealing logins from browsers and serves as a downloader for second stage payloads. BeaverTail has previously been leveraged by North Korea-affiliated actors identified as DeceptiveDevelopment or Contagious Interview. BeaverTail has been delivered to victims through code repository sites and has been embedded within malicious attachments.", "spans": {"THREAT_ACTOR: Contagious Interview": [[308, 328]], "THREAT_ACTOR: DeceptiveDevelopment": [[284, 304]], "MALWARE: BeaverTail": [[0, 10], [87, 97], [196, 206], [330, 340]], "SYSTEM: JavaScript": [[40, 50]]}, "info": {"id": "mitre_mw_0396", "source": "mitre_attack", "mitre_id": "S1246", "name": "BeaverTail", "type": "malware"}} |
| {"text": "HTTPBrowser is malware that has been used by several threat groups. It is believed to be of Chinese origin.", "spans": {"MALWARE: HTTPBrowser": [[0, 11]]}, "info": {"id": "mitre_mw_0417", "source": "mitre_attack", "mitre_id": "S0070", "name": "HTTPBrowser", "type": "malware"}} |
| {"text": "XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan.", "spans": {"MALWARE: CHOPSTICK": [[101, 110]], "MALWARE: XAgentOSX": [[0, 9]], "THREAT_ACTOR: APT28": [[44, 49]]}, "info": {"id": "mitre_mw_0489", "source": "mitre_attack", "mitre_id": "S0161", "name": "XAgentOSX", "type": "malware"}} |
| {"text": "RedLine Stealer is an information-stealer malware variant first identified in 2020. RedLine Stealer is a Malware as a Service (MaaS) and was reportedly sold as either a one-time purchase or a monthly subscription service. Information obtained from RedLine Stealer has been known to be sold on the deep and dark web to Initial Access Brokers (IABs), who use or resell the stolen credentials for further intrusions.", "spans": {"MALWARE: RedLine Stealer": [[0, 15], [84, 99], [248, 263]]}, "info": {"id": "mitre_mw_0491", "source": "mitre_attack", "mitre_id": "S1240", "name": "RedLine Stealer", "type": "malware"}} |
| {"text": "Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies.", "spans": {"MALWARE: Socksbot": [[0, 8]]}, "info": {"id": "mitre_mw_0494", "source": "mitre_attack", "mitre_id": "S0273", "name": "Socksbot", "type": "malware"}} |
| {"text": "BOOKWORM is a modular trojan known to be leveraged by Mustang Panda and was first observed utilized in 2015. BOOKWORM was later updated in late 2021 and the fall of 2022 to launch shellcode represented as UUID parameters.", "spans": {"THREAT_ACTOR: Mustang Panda": [[54, 67]], "MALWARE: BOOKWORM": [[0, 8], [109, 117]]}, "info": {"id": "mitre_mw_0498", "source": "mitre_attack", "mitre_id": "S1226", "name": "BOOKWORM", "type": "malware"}} |
| {"text": "HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.", "spans": {"MALWARE: DEATHRANSOM": [[100, 111]], "MALWARE: HELLOKITTY": [[0, 10], [127, 137]], "MALWARE: FIVEHANDS": [[116, 125]]}, "info": {"id": "mitre_mw_0500", "source": "mitre_attack", "mitre_id": "S0617", "name": "HELLOKITTY", "type": "malware"}} |
| {"text": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. VPNFilter was assessed to be replaced by Sandworm Team with Cyclops Blink starting in 2019.", "spans": {"THREAT_ACTOR: Sandworm Team": [[391, 404]], "MALWARE: Cyclops Blink": [[410, 423]], "MALWARE: VPNFilter": [[0, 9], [154, 163], [350, 359]]}, "info": {"id": "mitre_mw_0530", "source": "mitre_attack", "mitre_id": "S1010", "name": "VPNFilter", "type": "malware"}} |
| {"text": "TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.", "spans": {"MALWARE: TINYTYPHON": [[0, 10]], "THREAT_ACTOR: MONSOON": [[78, 85]]}, "info": {"id": "mitre_mw_0536", "source": "mitre_attack", "mitre_id": "S0131", "name": "TINYTYPHON", "type": "malware"}} |
| {"text": "VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, VersaMem was used during Versa Director Zero Day Exploitation by Volt Typhoon to target ISPs and MSPs. VersaMem is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.", "spans": {"THREAT_ACTOR: Volt Typhoon": [[190, 202]], "MALWARE: VersaMem": [[0, 8], [125, 133], [228, 236]], "MALWARE: Disco": [[98, 103]]}, "info": {"id": "mitre_mw_0568", "source": "mitre_attack", "mitre_id": "S1154", "name": "VersaMem", "type": "malware"}} |
| {"text": "ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.", "spans": {"THREAT_ACTOR: Lazarus Group": [[49, 62], [197, 210]], "MALWARE: ThreatNeedle": [[0, 12]]}, "info": {"id": "mitre_mw_0571", "source": "mitre_attack", "mitre_id": "S0665", "name": "ThreatNeedle", "type": "malware"}} |
| {"text": "GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.", "spans": {"MALWARE: GoldFinder": [[0, 10], [276, 286]], "SYSTEM: SolarWinds": [[349, 359]], "THREAT_ACTOR: APT29": [[374, 379]], "TOOL: route": [[68, 73]], "SYSTEM: HTTP": [[23, 27]]}, "info": {"id": "mitre_mw_0576", "source": "mitre_attack", "mitre_id": "S0597", "name": "GoldFinder", "type": "malware"}} |
| {"text": "Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.", "spans": {"THREAT_ACTOR: Wizard Spider": [[247, 260]], "MALWARE: Diavol": [[0, 6], [187, 193]], "MALWARE: Bazar": [[304, 309]]}, "info": {"id": "mitre_mw_0586", "source": "mitre_attack", "mitre_id": "S0659", "name": "Diavol", "type": "malware"}} |
| {"text": "RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.", "spans": {"MALWARE: RansomHub": [[0, 9], [198, 207], [364, 373]], "SYSTEM: Windows": [[60, 67]], "SYSTEM: Linux": [[75, 80]]}, "info": {"id": "mitre_mw_0609", "source": "mitre_attack", "mitre_id": "S1212", "name": "RansomHub", "type": "malware"}} |
| {"text": "Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.", "spans": {"MALWARE: Action RAT": [[0, 10]], "THREAT_ACTOR: SideCopy": [[75, 83]]}, "info": {"id": "mitre_mw_0618", "source": "mitre_attack", "mitre_id": "S1028", "name": "Action RAT", "type": "malware"}} |
| {"text": "CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.", "spans": {"THREAT_ACTOR: Mustang Panda": [[49, 62], [104, 117]], "MALWARE: CANONSTAGER": [[0, 11], [246, 257], [370, 381]], "SYSTEM: Windows": [[306, 313]]}, "info": {"id": "mitre_mw_0619", "source": "mitre_attack", "mitre_id": "S1237", "name": "CANONSTAGER", "type": "malware"}} |
| {"text": "MegaCortex is ransomware that first appeared in May 2019. MegaCortex has mainly targeted industrial organizations.", "spans": {"MALWARE: MegaCortex": [[0, 10], [58, 68]]}, "info": {"id": "mitre_mw_0622", "source": "mitre_attack", "mitre_id": "S0576", "name": "MegaCortex", "type": "malware"}} |
| {"text": "SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim environment. SplatDropper has been delivered through RAR archives and used legitimate executable for DLL side-loading. SplatDropper is known to be leveraged by Mustang Panda and was first observed utilized in 2025.", "spans": {"THREAT_ACTOR: Mustang Panda": [[255, 268]], "MALWARE: SplatDropper": [[0, 12], [108, 120], [214, 226]]}, "info": {"id": "mitre_mw_0636", "source": "mitre_attack", "mitre_id": "S1232", "name": "SplatDropper", "type": "malware"}} |
| {"text": "MacSpy is a malware-as-a-service offered on the darkweb .", "spans": {"MALWARE: MacSpy": [[0, 6]]}, "info": {"id": "mitre_mw_0654", "source": "mitre_attack", "mitre_id": "S0282", "name": "MacSpy", "type": "malware"}} |
| {"text": "Embargo is a ransomware variant written in Rust that has been active since at least May 2024. Embargo ransomware operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Embargo ransomware has been known to be delivered through a loader known as MDeployer which also leverages a malware component known as MS4Killer that facilitates termination of processes operating on the victim hosts. Embargo is also reportedly a Ransomware as a Service (RaaS).", "spans": {"MALWARE: Embargo": [[0, 7], [94, 101], [311, 318], [530, 537]]}, "info": {"id": "mitre_mw_0677", "source": "mitre_attack", "mitre_id": "S1247", "name": "Embargo", "type": "malware"}} |
| {"text": "Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. Winexe is unique in that it is a GNU/Linux based client.", "spans": {"TOOL: Winexe": [[0, 6], [139, 145]], "TOOL: PsExec": [[53, 59]], "SYSTEM: Linux": [[176, 181]]}, "info": {"id": "mitre_tl_0034", "source": "mitre_attack", "mitre_id": "S0191", "name": "Winexe", "type": "tool"}} |
| {"text": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.", "spans": {"SYSTEM: Active Directory": [[60, 76]], "ORGANIZATION: Microsoft": [[238, 247]], "TOOL: dsquery": [[0, 7]], "SYSTEM: Windows": [[158, 165]]}, "info": {"id": "mitre_tl_0038", "source": "mitre_attack", "mitre_id": "S0105", "name": "dsquery", "type": "tool"}} |
| {"text": "Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). Pupy is publicly available on GitHub.", "spans": {"SYSTEM: PowerShell": [[231, 241]], "SYSTEM: Windows": [[40, 47], [205, 212]], "SYSTEM: Android": [[61, 68]], "SYSTEM: GitHub": [[324, 330]], "SYSTEM: Python": [[137, 143], [218, 224]], "SYSTEM: Linux": [[49, 54], [257, 262]], "TOOL: Pupy": [[0, 4], [294, 298]]}, "info": {"id": "mitre_tl_0066", "source": "mitre_attack", "mitre_id": "S0192", "name": "Pupy", "type": "tool"}} |
| {"text": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. \n\nNet has a great deal of functionality, much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", "spans": {"TOOL: net.exe": [[483, 490]], "SYSTEM: Windows": [[38, 45], [343, 350]], "MALWARE: Disco": [[303, 308]], "TOOL: Net": [[4, 7], [169, 172]], "SYSTEM: SMB": [[339, 342]]}, "info": {"id": "mitre_tl_0073", "source": "mitre_attack", "mitre_id": "S0039", "name": "Net", "type": "tool"}} |
|
|
