Introduction

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.

Funding and Support

The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

CEF funding

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

MISP galaxy

360.net Threat Actors

Known or estimated adversary groups as identified by 360.net..

360.net Threat Actors is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: 360.net

CIA - APT-C-39

APT-C-39是一个来自美国，与NSA存在联系，系属于CIA的高规格，高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击

The tag is: misp-galaxy:360net-threat-actor="CIA - APT-C-39"

CIA - APT-C-39 is also known as:

Table 1. Table References
Links
https://apt.360.net/report/apts/96.html
https://apt.360.net/report/apts/12.html

海莲花 - APT-C-00

海莲花（OceanLotus）APT团伙是一个高度组织化的、专业化的境外国家级黑客组织，其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。

The tag is: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00"

海莲花 - APT-C-00 is also known as:

OceanLotus

View relationships graph

海莲花 - APT-C-00 has relationships with:

similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="APT32 - G0050" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:microsoft-activity-group="Canvas Cyclone" with estimative-language:likelihood-probability="likely"

Table 2. Table References
Links
https://apt.360.net/report/apts/93.html
https://apt.360.net/report/apts/1.html
https://apt.360.net/report/apts/94.html

摩诃草 - APT-C-09

摩诃草组织(APT-C-09)，又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork，是一个来自南亚地区的境外APT组织，该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光，随后又有其他安全厂商持续追踪并披露该组织的最新活动，但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击，相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动，其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月，至今还非常活跃。在针对中国地区的攻击中，该组织主要针对政府机构、科研教育领域进行攻击，其中以科研教育领域为主。

The tag is: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09"

摩诃草 - APT-C-09 is also known as:

HangOver
VICEROY TIGER
The Dropping Elephant
Patchwork

View relationships graph

摩诃草 - APT-C-09 has relationships with:

similar: misp-galaxy:threat-actor="VICEROY TIGER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="QUILTED TIGER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="likely"

Table 3. Table References
Links
https://apt.360.net/report/apts/110.html
https://apt.360.net/report/apts/6.html

黄金鼠 - APT-C-27

从2014年11月起至今，黄金鼠组织（APT-C-27）对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台，截至目前我们一共捕获了Android平台攻击样本29个，Windows平台攻击样本55个，涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠，主要是考虑了以下几方面的因素：一是该组织在攻击过程中使用了大量的资源，说明该攻击组织资源丰富，而黄金鼠有长期在野外囤积粮食的习惯，字面上也有丰富的含义；二、该攻击组织通常是间隔一段时间出来攻击一次，这跟鼠有相通的地方；三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。

The tag is: misp-galaxy:360net-threat-actor="黄金鼠 - APT-C-27"

黄金鼠 - APT-C-27 is also known as:

Table 4. Table References
Links
https://apt.360.net/report/apts/100.html
https://apt.360.net/report/apts/98.html
https://apt.360.net/report/apts/26.html

Lazarus - APT-C-26

Lazarus组织是疑似来自朝鲜的APT组织，该组织长期对韩国、美国进行渗透攻击，此外还对全球的金融机构进行攻击，堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示，Lazarus组织与2014 年索尼影业遭黑客攻击事件，2016 年孟加拉国银行数据泄露事件，2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。

The tag is: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26"

Lazarus - APT-C-26 is also known as:

APT38

View relationships graph

Lazarus - APT-C-26 has relationships with:

similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="APT38 - G0082" with estimative-language:likelihood-probability="likely"

Table 5. Table References
Links
https://apt.360.net/report/apts/9.html
https://apt.360.net/report/apts/101.html
https://apt.360.net/report/apts/90.html

黄金雕 - APT-C-34

黄金雕组织的活动主要影响中亚地区，大部分集中在哈萨克斯坦国境内，攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击，同时也采购了HackingTeam、NSO Group等网络军火商的武器，具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性，将该组织命名为黄金雕（APT-C-34）。

The tag is: misp-galaxy:360net-threat-actor="黄金雕 - APT-C-34"

黄金雕 - APT-C-34 is also known as:

Table 6. Table References
Links
https://apt.360.net/report/apts/11.html

盲眼鹰 - APT-C-36

从2018年4月起至今，一个疑似来自南美洲的APT组织盲眼鹰（APT-C-36）针对哥伦比亚政府机构和大型公司（金融、石油、制造等行业）等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows，攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所，而哥伦比亚在足球领域又被称为南美雄鹰，结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则，我们将该组织命名为盲眼鹰（APT-C-36）。

The tag is: misp-galaxy:360net-threat-actor="盲眼鹰 - APT-C-36"

盲眼鹰 - APT-C-36 is also known as:

Table 7. Table References
Links
https://apt.360.net/report/apts/83.html

毒针 - APT-C-31

2018年11月25日，360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动，攻击目标则指向俄罗斯总统办公室所属的医疗机构，此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序，结合被攻击目标医疗机构的职能特色，360将此次APT攻击命名为“毒针”行动。

The tag is: misp-galaxy:360net-threat-actor="毒针 - APT-C-31"

毒针 - APT-C-31 is also known as:

Table 8. Table References
Links
https://apt.360.net/report/apts/10.html

ArmaRat - APT-C-33

2016年7月，360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马，入侵成功后攻击者可以完全控制用户手机，并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字，所以我们将该组织命名为“ArmaRat”。

The tag is: misp-galaxy:360net-threat-actor="ArmaRat - APT-C-33"

ArmaRat - APT-C-33 is also known as:

Table 9. Table References
Links
https://apt.360.net/report/apts/48.html

军刀狮 - APT-C-38

从2015年7月起至今，军刀狮组织（APT-C-38）在中东地区展开了有组织、有计划、针对性的不间断攻击，其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人，另Windows端RAT包含的PDB路径下出现多次的“Saber”，而亚洲狮为该中东国家的代表动物，结合该组织的一些其它特点以及360对 APT 组织的命名规则，我们将该组织命名为军刀狮（APT-C-38）。

The tag is: misp-galaxy:360net-threat-actor="军刀狮 - APT-C-38"

军刀狮 - APT-C-38 is also known as:

Table 10. Table References
Links
https://apt.360.net/report/apts/30.html

拍拍熊 - APT-C-37

拍拍熊组织（APT-C-37）针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击，其攻击平台为Windows和Android。

The tag is: misp-galaxy:360net-threat-actor="拍拍熊 - APT-C-37"

拍拍熊 - APT-C-37 is also known as:

Table 11. Table References
Links
https://apt.360.net/report/apts/28.html
https://apt.360.net/report/apts/103.html

人面狮 - APT-C-15

人面狮行动是活跃在中东地区的网络间谍活动，主要目标可能涉及到埃及和以色列等国家的不同组织，目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间，相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击，截止到目前总共捕获到恶意代码样本314个，C&C域名7个。

The tag is: misp-galaxy:360net-threat-actor="人面狮 - APT-C-15"

人面狮 - APT-C-15 is also known as:

Table 12. Table References
Links
https://apt.360.net/report/apts/8.html

美人鱼 - APT-C-07

美人鱼组织（APT-C-07），来自于中东的境外APT组织，已持续活跃了9年。主要针对政府机构进行网络间谍活动，以窃取敏感信息为目的，已经证实有针对丹麦外交部的攻击。

The tag is: misp-galaxy:360net-threat-actor="美人鱼 - APT-C-07"

美人鱼 - APT-C-07 is also known as:

Table 13. Table References
Links
https://apt.360.net/report/apts/4.html

双尾蝎 - APT-C-23

2016年5月起至今，双尾蝎组织（APT-C-23）对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android，攻击范围主要为中东地区，截至目前我们一共捕获了Android样本24个，Windows样本19个，涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎，主要是考虑了以下几方面的因素：一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家，这种情况在以往并不多见；二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子，如海莲花，但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台，并且在Android平台上攻击如此活跃的APT组织，在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。

The tag is: misp-galaxy:360net-threat-actor="双尾蝎 - APT-C-23"

双尾蝎 - APT-C-23 is also known as:

Table 14. Table References
Links
https://apt.360.net/report/apts/27.html

蓝宝菇 - APT-C-12

从2011年开始持续至今，高级攻击组织蓝宝菇（APT-C-12）对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。

The tag is: misp-galaxy:360net-threat-actor="蓝宝菇 - APT-C-12"

蓝宝菇 - APT-C-12 is also known as:

核危机行动（Operation NuclearCrisis）

Table 15. Table References
Links
https://apt.360.net/report/apts/7.html

毒云藤 - APT-C-01

APT-C-01又名毒云藤，是一个长期针对中国境内的APT组织，至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动，主要关注军工、中美关系、两岸关系和海洋相关的领域，旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露，结合该组织关联地区常见的蔓藤植物，因此将其命名为“毒云藤”。

The tag is: misp-galaxy:360net-threat-actor="毒云藤 - APT-C-01"

毒云藤 - APT-C-01 is also known as:

穷奇
白海豚
绿斑

Table 16. Table References
Links
https://apt.360.net/report/apts/2.html

Darkhotel - APT-C-06

Darkhotel（APT-C-06）是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月，卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织，并声明该组织至少从2010年就已经开始活跃，目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel（暗黑客栈），是因为他们的一次攻击行动被曝光，主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。

The tag is: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06"

Darkhotel - APT-C-06 is also known as:

Luder
Karba
Tapaoux
Dubnium
SIG25

View relationships graph

Darkhotel - APT-C-06 has relationships with:

similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="Darkhotel - G0012" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:microsoft-activity-group="DUBNIUM" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:microsoft-activity-group="Zigzag Hail" with estimative-language:likelihood-probability="likely"

Table 17. Table References
Links
https://apt.360.net/report/apts/97.html
https://apt.360.net/report/apts/3.html

奇幻熊 - APT-C-20

APT28(APT-C-20)，又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关，该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞，相关恶意代码除了针对windows、Linux等PC操作系统，还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动，用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关，而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。

The tag is: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20"

奇幻熊 - APT-C-20 is also known as:

APT28
Pawn Storm
Sofacy Group
Sednit
Fancy Bear
STRONTIUM

View relationships graph

奇幻熊 - APT-C-20 has relationships with:

similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:microsoft-activity-group="Forest Blizzard" with estimative-language:likelihood-probability="likely"

Table 18. Table References
Links
https://apt.360.net/report/apts/120.html
https://apt.360.net/report/apts/72.html

沙虫 - APT-C-13

沙虫组织的主要目标领域有：政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约，以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动，还针对SCADA系统进行了攻击，研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明，针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话，那有可能幕后会关联到沙虫组织。

The tag is: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13"

沙虫 - APT-C-13 is also known as:

SandWorm

View relationships graph

沙虫 - APT-C-13 has relationships with:

similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:microsoft-activity-group="Seashell Blizzard" with estimative-language:likelihood-probability="likely"

Table 19. Table References
Links
https://apt.360.net/report/apts/87.html
https://apt.360.net/report/apts/69.html

肚脑虫 - APT-C-35

APT-C-35（肚脑虫）组织，又称Donot，是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动，以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光，随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月，至今活跃，攻击方式主要采用鱼叉邮件进行攻击。

The tag is: misp-galaxy:360net-threat-actor="肚脑虫 - APT-C-35"

肚脑虫 - APT-C-35 is also known as:

Donot

Table 20. Table References
Links
https://apt.360.net/report/apts/102.html
https://apt.360.net/report/apts/32.html

蔓灵花 - APT-C-08

蔓灵花组织利用鱼叉邮件以及系统漏洞等方式，主要攻击政府、电力和工业相关单位，以窃取敏感信息为主。国外样本最早出现在2013年11月，样本编译时间集中出现在2015年7月至2016年9月期间，2016年网络安全公司Forcepoint最早报告了这一组织，随后被多次发现，至今还非常活跃。

The tag is: misp-galaxy:360net-threat-actor="蔓灵花 - APT-C-08"

蔓灵花 - APT-C-08 is also known as:

Table 21. Table References
Links
https://apt.360.net/report/apts/5.html

索伦之眼 - APT-C-16

索伦之眼组织（APT-C-16），又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动，其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年，至今还非常活跃。该组织整个攻击过程中是高度隐蔽，且针对性极强，对特定目标采用定制的恶意程序或通信设施，不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式（Equation）媲美，其综合能力不弱于震网（Stuxnet）、火焰（Flame）等APT组织。

The tag is: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16"

索伦之眼 - APT-C-16 is also known as:

Sauron
Strider

View relationships graph

索伦之眼 - APT-C-16 has relationships with:

similar: misp-galaxy:threat-actor="ProjectSauron" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="Strider - G0041" with estimative-language:likelihood-probability="likely"

Table 22. Table References
Links
https://apt.360.net/report/apts/70.html

潜行者 - APT-C-30

潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息，其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位，攻击最早可以关联追溯到2009年，最早的样本编译时间为2008年，攻击活动一直持续至今。

The tag is: misp-galaxy:360net-threat-actor="潜行者 - APT-C-30"

潜行者 - APT-C-30 is also known as:

Table 23. Table References
Links
https://apt.360.net/report/apts/82.html

响尾蛇 - APT-C-24

APT-C-24又名Sidewinder、Rattlesnake等，是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标，主要攻击该国家/地区的政府、军事、外交等领域，最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初，该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击，通过近年来对该组织的追踪发现，Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标，因此需要更加地警惕小心。

The tag is: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24"

响尾蛇 - APT-C-24 is also known as:

SideWinder

View relationships graph

响尾蛇 - APT-C-24 has relationships with:

similar: misp-galaxy:threat-actor="RAZOR TIGER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="Sidewinder - G0121" with estimative-language:likelihood-probability="likely"

Table 24. Table References
Links
https://apt.360.net/report/apts/92.html

ScarCruft - APT-C-28

APT-C-28组织，又名ScarCruft、APT37 （Reaper）、Group123，是一个来自于东北亚地区的境外APT组织，其相关攻击活动最早可追溯到2012年，且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动，其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光，随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。

The tag is: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28"

ScarCruft - APT-C-28 is also known as:

APT37（Reaper）
Group123

View relationships graph

ScarCruft - APT-C-28 has relationships with:

similar: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="APT37 - G0067" with estimative-language:likelihood-probability="likely"

Table 25. Table References
Links
https://apt.360.net/report/apts/79.html

Turla - APT-C-29

Turla Group又名Waterbug、Venomous Bear、Group 88等，是具有俄罗斯背景的APT组织，至少从1996年就开始活跃，2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家，攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域，因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。

The tag is: misp-galaxy:360net-threat-actor="Turla - APT-C-29"

Turla - APT-C-29 is also known as:

Turla, Waterbug, Venomous Bear, Group 88

Table 26. Table References
Links
https://apt.360.net/report/apts/81.html
https://apt.360.net/report/apts/88.html

Carbanak - APT-C-11

Carbanak(即Anunak)攻击组织，是一个跨国网络犯罪团伙。2013年起，该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击，目前相关攻击活动还很活跃。

The tag is: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11"

Carbanak - APT-C-11 is also known as:

Anunak

View relationships graph

Carbanak - APT-C-11 has relationships with:

similar: misp-galaxy:mitre-intrusion-set="Carbanak - G0008" with estimative-language:likelihood-probability="likely"

Table 27. Table References
Links
https://apt.360.net/report/apts/68.html

飞鲨 - APT-C-17

APT-C-17是360发现的一起APT攻击，我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月，持续活跃到2014年3月，主要针对中国航空航天领域，目的是窃取目标用户敏感数据信息，近期暂无监控到相关攻击事件。

The tag is: misp-galaxy:360net-threat-actor="飞鲨 - APT-C-17"

飞鲨 - APT-C-17 is also known as:

Table 28. Table References
Links
https://apt.360.net/report/apts/71.html

方程式 - APT-C-40

APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年，并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织，并被认为是著名的震网（Stuxnet）和火焰（Flame）病毒幕后的操纵者。

The tag is: misp-galaxy:360net-threat-actor="方程式 - APT-C-40"

方程式 - APT-C-40 is also known as:

Table 29. Table References
Links
https://apt.360.net/report/apts/85.html

透明部落 - APT-C-56

Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等，是具有巴基斯坦背景的APT组织，攻击活动影响范围较广，但主要攻击目标为印度国家的政府、军方等组织，此外为保障国家利益，巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现，近年来一直处于活跃状态。2020年初，利用有关印巴两国边境争端的诱饵文档，向印度政府组织、国防人员发起了鱼叉式网络攻击，也就是‘Honey Trap’行动，以此来窃取国家机密及敏感数据。

The tag is: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56"

透明部落 - APT-C-56 is also known as:

APT36
ProjectM
C-Major

View relationships graph

透明部落 - APT-C-56 has relationships with:

similar: misp-galaxy:threat-actor="Operation C-Major" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="Transparent Tribe - G0134" with estimative-language:likelihood-probability="likely"

Table 30. Table References
Links

腾云蛇 - APT-C-61

APT-C-61又名腾云蛇，最早活跃可追溯到2020年1月，至今还很活跃，主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域，攻击时通过鱼叉邮件配合社会工程学手段进行渗透，向目标设备传播恶意程序，暗中控制目标设备，持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务，且使用的木马为python语言编写而得名。

The tag is: misp-galaxy:360net-threat-actor="腾云蛇 - APT-C-61"

腾云蛇 - APT-C-61 is also known as:

Table 31. Table References
Links

Kimsuky - APT-C-55

Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等，最早由Kaspersky在2013年披露，该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击，在过去几年里，他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃，常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。

The tag is: misp-galaxy:360net-threat-actor="Kimsuky - APT-C-55"

Kimsuky - APT-C-55 is also known as:

Table 32. Table References
Links

卢甘斯克组织 - APT-C-46

2019年初，国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动，根据相关报告分析该组织的攻击活动至少可以追溯到2014年，曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击，在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件，捕获目标的音频和视频，窃取密码，获取机密文件等等。

The tag is: misp-galaxy:360net-threat-actor="卢甘斯克组织 - APT-C-46"

卢甘斯克组织 - APT-C-46 is also known as:

APT-C-46

Table 33. Table References
Links
https://apt.360.net/report/apts/169.html

旺刺组织 - APT-C-47

近期，360安全大脑检测到多起ClickOnce恶意程序的攻击活动，通过360高级威胁研究院的深入研判分析，发现这是一起来自半岛地区未被披露APT组织的攻击行动，攻击目标涉及与半岛地区有关联的实体机构和个人，根据360安全大脑的数据分析显示，该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动，也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露，我们根据该组织擅长攻击技术的谐音，将其命名为“旺刺”组织，并为其分配了新编号APT-C-47。

The tag is: misp-galaxy:360net-threat-actor="旺刺组织 - APT-C-47"

旺刺组织 - APT-C-47 is also known as:

APT-C-47

Table 34. Table References
Links
https://apt.360.net/report/apts/168.html

DomesticKitten - APT-C-50

Domestic Kitten(Check Point)，别名APT-C-50。最早被国外安全厂商披露，自2016年以来一直在进行广泛而有针对性的攻击，攻击目标包括中东某国内部持不同政见者和反对派力量，以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是，所有攻击目标都是中东某国公民。伊斯兰革命卫队（IRGC）、情报部、内政部等中东某国政府机构可能为该组织提供支持。

The tag is: misp-galaxy:360net-threat-actor="DomesticKitten - APT-C-50"

DomesticKitten - APT-C-50 is also known as:

APT-C-50

Table 35. Table References
Links
https://apt.360.net/report/apts/166.html

SandCat - APT-C-32

SandCat由卡巴斯基在2018年首次发现，该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力，曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。

The tag is: misp-galaxy:360net-threat-actor="SandCat - APT-C-32"

SandCat - APT-C-32 is also known as:

Table 36. Table References
Links

CNC - APT-C-48

该组织于2019年发现,因为样本的pdb路径中有cnc_client字符，所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业，窃取情报。在攻击过程中会尝试使用Nday，并且有能够开发GO语言木马的开发人员。

The tag is: misp-galaxy:360net-threat-actor="CNC - APT-C-48"

CNC - APT-C-48 is also known as:

Table 37. Table References
Links

蓝色魔眼 - APT-C-41

APT-C-41,是一个具有土耳其背景的APT小组，该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年，360发现了该组织针对我国相关单位的攻击，并将其命名为APT-C-41。

The tag is: misp-galaxy:360net-threat-actor="蓝色魔眼 - APT-C-41"

蓝色魔眼 - APT-C-41 is also known as:

Table 38. Table References
Links
https://apt.360.net/report/apts/158.html

Machete - APT-C-43

El Machete由卡巴斯基首次发现，最早的攻击可以追溯至2014年，主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark，通过对该后门的深入挖掘和溯源分析，我们发现了一系列从2019年起便一直活跃的高级威胁行动，攻击者通过入侵委内瑞拉的多处军事机构，部署后门病毒，不间断的监控和窃取最新的军事机密。

The tag is: misp-galaxy:360net-threat-actor="Machete - APT-C-43"

Machete - APT-C-43 is also known as:

Machete

View relationships graph

Machete - APT-C-43 has relationships with:

similar: misp-galaxy:threat-actor="El Machete" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-intrusion-set="Machete - G0095" with estimative-language:likelihood-probability="likely"

Table 39. Table References
Links
https://apt.360.net/report/apts/159.html

Gamaredon - APT-C-53

Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha，至少从2013年就开始活跃，是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来，该组成员也不断升级其技战术，开发定制化的恶意软件，这也加大了安全人员对其进行捕获与追踪的难度。

The tag is: misp-galaxy:360net-threat-actor="Gamaredon - APT-C-53"

Gamaredon - APT-C-53 is also known as:

Table 40. Table References
Links

北非狐 - APT-C-44

北非狐组织（APT-C-44），是一个来自阿尔及利亚的境外APT组织，该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动，以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月，至今仍活跃着。

The tag is: misp-galaxy:360net-threat-actor="北非狐 - APT-C-44"

北非狐 - APT-C-44 is also known as:

Table 41. Table References
Links
https://apt.360.net/report/apts/157.html

WellMess - APT-C-42

WELLMESS组织是一个较新的俄语系境外APT组织，最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击，并且曾进行过超两年的供应链攻击，同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位，以窃取文件为主。

The tag is: misp-galaxy:360net-threat-actor="WellMess - APT-C-42"

WellMess - APT-C-42 is also known as:

Table 42. Table References
Links
https://apt.360.net/report/apts/136.html

Android

Android malware galaxy based on multiple open sources..

Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown

CopyCat

CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.

The tag is: misp-galaxy:android="CopyCat"

Table 43. Table References
Links
https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/

Andr/Dropr-FH

Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.

The tag is: misp-galaxy:android="Andr/Dropr-FH"

Andr/Dropr-FH is also known as:

GhostCtrl

View relationships graph

Andr/Dropr-FH has relationships with:

similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"

Table 44. Table References
Links
https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/
https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data

Judy

The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

The tag is: misp-galaxy:android="Judy"

Table 45. Table References
Links
http://fortune.com/2017/05/28/android-malware-judy/
https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

RedAlert2

The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.

The tag is: misp-galaxy:android="RedAlert2"

View relationships graph

RedAlert2 has relationships with:

similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"

Table 46. Table References
Links
https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/
https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Tizi

Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.

The tag is: misp-galaxy:android="Tizi"

Table 47. Table References
Links
https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html

DoubleLocker

DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.

The tag is: misp-galaxy:android="DoubleLocker"

View relationships graph

DoubleLocker has relationships with:

similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"

Table 48. Table References
Links
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Svpeng

Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.

The tag is: misp-galaxy:android="Svpeng"

Svpeng is also known as:

Invisble Man

View relationships graph

Svpeng has relationships with:

similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"

Table 49. Table References
Links
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/

LokiBot

LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.

The tag is: misp-galaxy:android="LokiBot"

View relationships graph

LokiBot has relationships with:

similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"

Table 50. Table References
Links
https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html

BankBot

The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.

The tag is: misp-galaxy:android="BankBot"

View relationships graph

BankBot has relationships with:

similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"

Table 51. Table References
Links
https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot
https://forensics.spreitzenbarth.de/android-malware/
https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers

Viking Horde

In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.

The tag is: misp-galaxy:android="Viking Horde"

Table 52. Table References
Links
http://www.alwayson-network.com/worst-types-android-malware-2016/

HummingBad

A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.

The tag is: misp-galaxy:android="HummingBad"

View relationships graph

HummingBad has relationships with:

similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"

Table 53. Table References
Links
http://www.alwayson-network.com/worst-types-android-malware-2016/
http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Ackposts

Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.

The tag is: misp-galaxy:android="Ackposts"

Table 54. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99

Wirex

Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.

The tag is: misp-galaxy:android="Wirex"

Table 55. Table References
Links
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/
http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/

WannaLocker

WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.

The tag is: misp-galaxy:android="WannaLocker"

Table 56. Table References
Links
https://fossbytes.com/wannalocker-ransomware-wannacry-android/

Switcher

Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.

The tag is: misp-galaxy:android="Switcher"

View relationships graph

Switcher has relationships with:

similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"

Table 57. Table References
Links
http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/
https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/
https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99

Vibleaker

Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.

The tag is: misp-galaxy:android="Vibleaker"

Table 58. Table References
Links
http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml

ExpensiveWall

ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge

The tag is: misp-galaxy:android="ExpensiveWall"

Table 59. Table References
Links
https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
http://fortune.com/2017/09/14/google-play-android-malware/

Cepsohord

Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.

The tag is: misp-galaxy:android="Cepsohord"

Table 60. Table References
Links
https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord

Fakem Rat

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

The tag is: misp-galaxy:android="Fakem Rat"

Table 61. Table References
Links
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

GM Bot

GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.

The tag is: misp-galaxy:android="GM Bot"

GM Bot is also known as:

Acecard
SlemBunk
Bankosy

View relationships graph

GM Bot has relationships with:

similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 62. Table References
Links
https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide

Moplus

The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.

The tag is: misp-galaxy:android="Moplus"

Table 63. Table References
Links
http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

The tag is: misp-galaxy:android="Adwind"

Adwind is also known as:

AlienSpy
Frutas
Unrecom
Sockrat
Jsocket
jRat
Backdoor:Java/Adwind

View relationships graph

Adwind has relationships with:

similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 64. Table References
Links
https://securelist.com/adwind-faq/73660/

AdSms

Adsms is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="AdSms"

Table 65. Table References
Links
https://www.fortiguard.com/encyclopedia/virus/7389670
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99

Airpush

Airpush is a very aggresive Ad - Network

The tag is: misp-galaxy:android="Airpush"

Airpush is also known as:

StopSMS

Table 66. Table References
Links
https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf

BeanBot

BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.

The tag is: misp-galaxy:android="BeanBot"

Table 67. Table References
Links
https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml

Kemoge

Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.

The tag is: misp-galaxy:android="Kemoge"

View relationships graph

Kemoge has relationships with:

similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"

Table 68. Table References
Links
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99

Ghost Push

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.

The tag is: misp-galaxy:android="Ghost Push"

Table 69. Table References
Links
https://en.wikipedia.org/wiki/Ghost_Push
https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push

BeNews

The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.

The tag is: misp-galaxy:android="BeNews"

Table 70. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/

Accstealer

Accstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Accstealer"

Table 71. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99

Acnetdoor

Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.

The tag is: misp-galaxy:android="Acnetdoor"

Table 72. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99

Acnetsteal

Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.

The tag is: misp-galaxy:android="Acnetsteal"

Table 73. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99

Actech

Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Actech"

Table 74. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99

AdChina

AdChina is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdChina"

Table 75. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99

Adfonic

Adfonic is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adfonic"

Table 76. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99

AdInfo

AdInfo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdInfo"

Table 77. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99

Adknowledge

Adknowledge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adknowledge"

Table 78. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99

AdMarvel

AdMarvel is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMarvel"

Table 79. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99

AdMob

AdMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMob"

Table 80. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99

Adrd

Adrd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Adrd"

Table 81. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99

Aduru

Aduru is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Aduru"

Table 82. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99

Adwhirl

Adwhirl is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwhirl"

Table 83. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99

Adwlauncher

Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Adwlauncher"

Table 84. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99

Adwo

Adwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwo"

Table 85. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99

Airad

Airad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Airad"

Table 86. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99

Alienspy

Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.

The tag is: misp-galaxy:android="Alienspy"

Table 87. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99

AmazonAds

AmazonAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AmazonAds"

Table 88. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99

Answerbot

Answerbot is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Answerbot"

Table 89. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99

Antammi

Antammi is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Antammi"

Table 90. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99

Apkmore

Apkmore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apkmore"

Table 91. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99

Aplog

Aplog is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Aplog"

Table 92. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99

Appenda

Appenda is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Appenda"

Table 93. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99

Apperhand

Apperhand is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apperhand"

Table 94. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99

Appleservice

Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Appleservice"

Table 95. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99

AppLovin

AppLovin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AppLovin"

Table 96. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99

Arspam

Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.

The tag is: misp-galaxy:android="Arspam"

Table 97. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99

Aurecord

Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Aurecord"

Table 98. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99

Backapp

Backapp is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Backapp"

Table 99. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99

Backdexer

Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.

The tag is: misp-galaxy:android="Backdexer"

Table 100. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99

Backflash

Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Backflash"

Table 101. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99

Backscript

Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.

The tag is: misp-galaxy:android="Backscript"

Table 102. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99

Badaccents

Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.

The tag is: misp-galaxy:android="Badaccents"

Table 103. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99

Badpush

Badpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Badpush"

Table 104. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99

Ballonpop

Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Ballonpop"

Table 105. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99

Bankosy

Bankosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Bankosy"

View relationships graph

Bankosy has relationships with:

similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 106. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99

Bankun

Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.

The tag is: misp-galaxy:android="Bankun"

Table 107. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99

Basebridge

Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Basebridge"

Table 108. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99

Basedao

Basedao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Basedao"

Table 109. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99

Batterydoctor

Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.

The tag is: misp-galaxy:android="Batterydoctor"

Table 110. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99

Beaglespy

Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Beaglespy"

Table 111. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99

Becuro

Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Becuro"

Table 112. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99

Beita

Beita is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Beita"

Table 113. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99

Bgserv

Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Bgserv"

Table 114. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99

Biigespy

Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Biigespy"

Table 115. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99

Bmaster

Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Bmaster"

Table 116. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

Bossefiv

Bossefiv is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Bossefiv"

Table 117. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99

Boxpush

Boxpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Boxpush"

Table 118. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99

Burstly

Burstly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Burstly"

Table 119. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99

Buzzcity

Buzzcity is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Buzzcity"

Table 120. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99

ByPush

ByPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ByPush"

Table 121. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99

Cajino

Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Cajino"

Table 122. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99

Casee

Casee is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Casee"

Table 123. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99

Catchtoken

Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Catchtoken"

Table 124. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99

Cauly

Cauly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cauly"

Table 125. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99

Cellshark

Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Cellshark"

Table 126. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99

Centero

Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Centero"

Table 127. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99

Chuli

Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.

The tag is: misp-galaxy:android="Chuli"

Table 128. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99

Citmo

Citmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Citmo"

Table 129. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99

Claco

Claco is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Claco"

Table 130. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99

Clevernet

Clevernet is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Clevernet"

Table 131. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99

Cnappbox

Cnappbox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cnappbox"

Table 132. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99

Cobblerone

Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.

The tag is: misp-galaxy:android="Cobblerone"

Table 133. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99

Coolpaperleak

Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Coolpaperleak"

Table 134. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99

Coolreaper

Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.

The tag is: misp-galaxy:android="Coolreaper"

Table 135. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99

Cosha

Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Cosha"

Table 136. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99

Counterclank

Counterclank is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Counterclank"

Table 137. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99

Crazymedia

Crazymedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Crazymedia"

Table 138. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99

Crisis

Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Crisis"

View relationships graph

Crisis has relationships with:

similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"

Table 139. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99

Crusewind

Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Crusewind"

Table 140. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99

Dandro

Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.

The tag is: misp-galaxy:android="Dandro"

Table 141. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99

Daoyoudao

Daoyoudao is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Daoyoudao"

Table 142. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99

Deathring

Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Deathring"

Table 143. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99

Deeveemap

Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Deeveemap"

Table 144. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99

Dendoroid

Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.

The tag is: misp-galaxy:android="Dendoroid"

Table 145. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99

Dengaru

Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.

The tag is: misp-galaxy:android="Dengaru"

Table 146. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99

Diandong

Diandong is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Diandong"

Table 147. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99

Dianjin

Dianjin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dianjin"

Table 148. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99

Dogowar

Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.

The tag is: misp-galaxy:android="Dogowar"

Table 149. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99

Domob

Domob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Domob"

Table 150. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99

Dougalek

Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.

The tag is: misp-galaxy:android="Dougalek"

Table 151. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99

Dowgin

Dowgin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dowgin"

Table 152. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99

Droidsheep

Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.

The tag is: misp-galaxy:android="Droidsheep"

Table 153. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99

Dropdialer

Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Dropdialer"

Table 154. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99

Dupvert

Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.

The tag is: misp-galaxy:android="Dupvert"

Table 155. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99

Dynamicit

Dynamicit is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dynamicit"

Table 156. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99

Ecardgrabber

Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.

The tag is: misp-galaxy:android="Ecardgrabber"

Table 157. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99

Ecobatry

Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Ecobatry"

Table 158. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99

Enesoluty

Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Enesoluty"

Table 159. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99

Everbadge

Everbadge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Everbadge"

Table 160. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99

Ewalls

Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.

The tag is: misp-galaxy:android="Ewalls"

Table 161. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99

Exprespam

Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.

The tag is: misp-galaxy:android="Exprespam"

Table 162. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99

Fakealbums

Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.

The tag is: misp-galaxy:android="Fakealbums"

Table 163. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99

Fakeangry

Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Fakeangry"

Table 164. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99

Fakeapp

Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.

The tag is: misp-galaxy:android="Fakeapp"

Table 165. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99

Fakebanco

Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.

The tag is: misp-galaxy:android="Fakebanco"

Table 166. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99

Fakebank

Fakebank is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank"

Table 167. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99

Fakebank.B

Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank.B"

Table 168. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99

Fakebok

Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.

The tag is: misp-galaxy:android="Fakebok"

Table 169. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99

Fakedaum

Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakedaum"

Table 170. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99

Fakedefender

Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender"

Table 171. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99

Fakedefender.B

Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender.B"

Table 172. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99

Fakedown

Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.

The tag is: misp-galaxy:android="Fakedown"

Table 173. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99

Fakeflash

Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.

The tag is: misp-galaxy:android="Fakeflash"

Table 174. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99

Fakegame

Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakegame"

Table 175. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99

Fakeguard

Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakeguard"

Table 176. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99

Fakejob

Fakejob is a Trojan horse for Android devices that redirects users to scam websites.

The tag is: misp-galaxy:android="Fakejob"

Table 177. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99

Fakekakao

Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.

The tag is: misp-galaxy:android="Fakekakao"

Table 178. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99

Fakelemon

Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.

The tag is: misp-galaxy:android="Fakelemon"

Table 179. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99

Fakelicense

Fakelicense is a Trojan horse that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Fakelicense"

Table 180. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99

Fakelogin

Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakelogin"

Table 181. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99

FakeLookout

FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="FakeLookout"

Table 182. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99

FakeMart

FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.

The tag is: misp-galaxy:android="FakeMart"

Table 183. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99

Fakemini

Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.

The tag is: misp-galaxy:android="Fakemini"

Table 184. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99

Fakemrat

Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakemrat"

Table 185. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

Fakeneflic

Fakeneflic is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fakeneflic"

Table 186. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99

Fakenotify

Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.

The tag is: misp-galaxy:android="Fakenotify"

Table 187. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99

Fakepatch

Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.

The tag is: misp-galaxy:android="Fakepatch"

Table 188. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99

Fakeplay

Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Fakeplay"

Table 189. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99

Fakescarav

Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakescarav"

Table 190. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99

Fakesecsuit

Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakesecsuit"

Table 191. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99

Fakesucon

Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Fakesucon"

Table 192. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99

Faketaobao

Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Faketaobao"

Table 193. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

Faketaobao.B

Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.

The tag is: misp-galaxy:android="Faketaobao.B"

Table 194. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99

Faketoken

Faketoken is a Trojan horse that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Faketoken"

Table 195. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99
http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/

Fakeupdate

Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.

The tag is: misp-galaxy:android="Fakeupdate"

Table 196. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99

Fakevoice

Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.

The tag is: misp-galaxy:android="Fakevoice"

Table 197. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99

Farmbaby

Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Farmbaby"

Table 198. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99

Fauxtocopy

Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.

The tag is: misp-galaxy:android="Fauxtocopy"

Table 199. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99

Feiwo

Feiwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Feiwo"

Table 200. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99

FindAndCall

FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.

The tag is: misp-galaxy:android="FindAndCall"

Table 201. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99

Finfish

Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Finfish"

Table 202. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99

Fireleaker

Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fireleaker"

Table 203. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99

Fitikser

Fitikser is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fitikser"

Table 204. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99

Flexispy

Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Flexispy"

Table 205. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99

Fokonge

Fokonge is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fokonge"

Table 206. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99

FoncySMS

FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.

The tag is: misp-galaxy:android="FoncySMS"

Table 207. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99

Frogonal

Frogonal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Frogonal"

Table 208. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99

Ftad

Ftad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ftad"

Table 209. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99

Funtasy

Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.

The tag is: misp-galaxy:android="Funtasy"

Table 210. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99

GallMe

GallMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="GallMe"

Table 211. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99

Gamex

Gamex is a Trojan horse for Android devices that downloads further threats.

The tag is: misp-galaxy:android="Gamex"

Table 212. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99

Gappusin

Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.

The tag is: misp-galaxy:android="Gappusin"

Table 213. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99

Gazon

Gazon is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Gazon"

Table 214. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99

Geinimi

Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Geinimi"

Table 215. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99

Generisk

Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.

The tag is: misp-galaxy:android="Generisk"

Table 216. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99

Genheur

Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

The tag is: misp-galaxy:android="Genheur"

Table 217. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99

Genpush

Genpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Genpush"

Table 218. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99

GeoFake

GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.

The tag is: misp-galaxy:android="GeoFake"

Table 219. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99

Geplook

Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.

The tag is: misp-galaxy:android="Geplook"

Table 220. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99

Getadpush

Getadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Getadpush"

Table 221. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99

Ggtracker

Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.

The tag is: misp-galaxy:android="Ggtracker"

Table 222. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99

Ghostpush

Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Ghostpush"

Table 223. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99

Gmaster

Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Gmaster"

Table 224. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99

Godwon

Godwon is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Godwon"

Table 225. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99

Golddream

Golddream is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Golddream"

Table 226. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99

Goldeneagle

Goldeneagle is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Goldeneagle"

Table 227. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99

Golocker

Golocker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Golocker"

Table 228. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99

Gomal

Gomal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Gomal"

Table 229. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99

Gonesixty

Gonesixty is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonesixty"

Table 230. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99

Gonfu

Gonfu is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu"

Table 231. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99

Gonfu.B

Gonfu.B is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu.B"

Table 232. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99

Gonfu.C

Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.

The tag is: misp-galaxy:android="Gonfu.C"

Table 233. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99

Gonfu.D

Gonfu.D is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Gonfu.D"

Table 234. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99

Gooboot

Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.

The tag is: misp-galaxy:android="Gooboot"

Table 235. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99

Goodadpush

Goodadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Goodadpush"

Table 236. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99

Greystripe

Greystripe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Greystripe"

Table 237. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99

Gugespy

Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Gugespy"

Table 238. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99

Gugespy.B

Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Gugespy.B"

Table 239. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99

Gupno

Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.

The tag is: misp-galaxy:android="Gupno"

Table 240. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99

Habey

Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Habey"

Table 241. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99

Handyclient

Handyclient is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Handyclient"

Table 242. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99

Hehe

Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.

The tag is: misp-galaxy:android="Hehe"

Table 243. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99

Hesperbot

Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="Hesperbot"

Table 244. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99

Hippo

Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo"

Table 245. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99

Hippo.B

Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo.B"

Table 246. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99

IadPush

IadPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="IadPush"

Table 247. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99

iBanking

iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="iBanking"

Table 248. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99

Iconosis

Iconosis is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosis"

Table 249. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99

Iconosys

Iconosys is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosys"

Table 250. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99

Igexin

Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,

The tag is: misp-galaxy:android="Igexin"

Igexin is also known as:

IcicleGum

View relationships graph

Igexin has relationships with:

similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"

Table 251. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
https://blog.lookout.com/igexin-malicious-sdk

ImAdPush

ImAdPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ImAdPush"

Table 252. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99

InMobi

InMobi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="InMobi"

Table 253. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99

Jifake

Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Jifake"

Table 254. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99

Jollyserv

Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Jollyserv"

Table 255. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99

Jsmshider

Jsmshider is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Jsmshider"

Table 256. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99

Ju6

Ju6 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ju6"

Table 257. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99

Jumptap

Jumptap is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jumptap"

Table 258. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99

Jzmob

Jzmob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jzmob"

Table 259. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99

Kabstamper

Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.

The tag is: misp-galaxy:android="Kabstamper"

Table 260. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99

Kidlogger

Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Kidlogger"

Table 261. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99

Kielog

Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.

The tag is: misp-galaxy:android="Kielog"

Table 262. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99

Kituri

Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Kituri"

Table 263. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99

Kranxpay

Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.

The tag is: misp-galaxy:android="Kranxpay"

Table 264. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99

Krysanec

Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Krysanec"

Table 265. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99

Kuaidian360

Kuaidian360 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuaidian360"

Table 266. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99

Kuguo

Kuguo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuguo"

Table 267. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99

Lastacloud

Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Lastacloud"

Table 268. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99

Laucassspy

Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Laucassspy"

Table 269. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99

Lifemonspy

Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.

The tag is: misp-galaxy:android="Lifemonspy"

Table 270. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99

Lightdd

Lightdd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Lightdd"

Table 271. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99

Loaderpush

Loaderpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Loaderpush"

Table 272. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99

Locaspy

Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.

The tag is: misp-galaxy:android="Locaspy"

Table 273. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99

Lockdroid.E

Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.E"

Table 274. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99

Lockdroid.F

Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.F"

Table 275. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99

Lockdroid.G

Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.G"

Table 276. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99

Lockdroid.H

Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.H"

Table 277. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99

Lockscreen

Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.

The tag is: misp-galaxy:android="Lockscreen"

Table 278. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99

LogiaAd

LogiaAd is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="LogiaAd"

Table 279. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99

Loicdos

Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.

The tag is: misp-galaxy:android="Loicdos"

Table 280. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99

Loozfon

Loozfon is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Loozfon"

Table 281. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99

Lotoor

Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.

The tag is: misp-galaxy:android="Lotoor"

Table 282. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99

Lovespy

Lovespy is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Lovespy"

Table 283. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99

Lovetrap

Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Lovetrap"

Table 284. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99

Luckycat

Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="Luckycat"

Table 285. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99

Machinleak

Machinleak is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Machinleak"

Table 286. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99

Maistealer

Maistealer is a Trojan that steals information from Android devices.

The tag is: misp-galaxy:android="Maistealer"

Table 287. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99

Malapp

Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.

The tag is: misp-galaxy:android="Malapp"

Table 288. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99

Malebook

Malebook is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malebook"

Table 289. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99

Malhome

Malhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malhome"

Table 290. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99

Malminer

Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.

The tag is: misp-galaxy:android="Malminer"

Table 291. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99

Mania

Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Mania"

Table 292. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99

Maxit

Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.

The tag is: misp-galaxy:android="Maxit"

Table 293. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99

MdotM

MdotM is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MdotM"

Table 294. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99

Medialets

Medialets is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Medialets"

Table 295. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99

Meshidden

Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Meshidden"

Table 296. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99

Mesploit

Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.

The tag is: misp-galaxy:android="Mesploit"

Table 297. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99

Mesprank

Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Mesprank"

Table 298. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99

Meswatcherbox

Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.

The tag is: misp-galaxy:android="Meswatcherbox"

Table 299. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99

Miji

Miji is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Miji"

Table 300. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99

Milipnot

Milipnot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Milipnot"

Table 301. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99

MillennialMedia

MillennialMedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MillennialMedia"

Table 302. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99

Mitcad

Mitcad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mitcad"

Table 303. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99

MobClix

MobClix is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobClix"

Table 304. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99

MobFox

MobFox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobFox"

Table 305. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99

Mobidisplay

Mobidisplay is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobidisplay"

Table 306. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99

Mobigapp

Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.

The tag is: misp-galaxy:android="Mobigapp"

Table 307. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99

MobileBackup

MobileBackup is a spyware application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="MobileBackup"

Table 308. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99

Mobilespy

Mobilespy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Mobilespy"

Table 309. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99

Mobiletx

Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Mobiletx"

Table 310. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99

Mobinaspy

Mobinaspy is a spyware application for Android devices that can track the device’s location.

The tag is: misp-galaxy:android="Mobinaspy"

Table 311. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99

Mobus

Mobus is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobus"

Table 312. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99

MobWin

MobWin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobWin"

Table 313. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99

Mocore

Mocore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mocore"

Table 314. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99

Moghava

Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.

The tag is: misp-galaxy:android="Moghava"

Table 315. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99

Momark

Momark is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Momark"

Table 316. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99

Monitorello

Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Monitorello"

Table 317. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99

Moolah

Moolah is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Moolah"

Table 318. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99

MoPub

MoPub is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MoPub"

Table 319. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99

Morepaks

Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.

The tag is: misp-galaxy:android="Morepaks"

Table 320. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99

Nandrobox

Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.

The tag is: misp-galaxy:android="Nandrobox"

Table 321. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99

Netisend

Netisend is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Netisend"

Table 322. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99

Nickispy

Nickispy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Nickispy"

Table 323. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99

Notcompatible

Notcompatible is a Trojan horse for Android devices that acts as a proxy.

The tag is: misp-galaxy:android="Notcompatible"

Table 324. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99

Nuhaz

Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.

The tag is: misp-galaxy:android="Nuhaz"

Table 325. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99

Nyearleaker

Nyearleaker is a Trojan horse program for Android devices that steals information.

The tag is: misp-galaxy:android="Nyearleaker"

Table 326. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99

Obad

Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.

The tag is: misp-galaxy:android="Obad"

Table 327. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99

Oneclickfraud

Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.

The tag is: misp-galaxy:android="Oneclickfraud"

Table 328. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99

Opfake

Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.

The tag is: misp-galaxy:android="Opfake"

Table 329. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99

Opfake.B

Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.

The tag is: misp-galaxy:android="Opfake.B"

Table 330. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99

Ozotshielder

Ozotshielder is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Ozotshielder"

Table 331. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99

Pafloat

Pafloat is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pafloat"

Table 332. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99

PandaAds

PandaAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="PandaAds"

Table 333. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99

Pandbot

Pandbot is a Trojan horse for Android devices that may download more files onto the device.

The tag is: misp-galaxy:android="Pandbot"

Table 334. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99

Pdaspy

Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Pdaspy"

Table 335. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99

Penetho

Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.

The tag is: misp-galaxy:android="Penetho"

Table 336. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99

Perkel

Perkel is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Perkel"

Table 337. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99

Phimdropper

Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.

The tag is: misp-galaxy:android="Phimdropper"

Table 338. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99

Phospy

Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.

The tag is: misp-galaxy:android="Phospy"

Table 339. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99

Piddialer

Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.

The tag is: misp-galaxy:android="Piddialer"

Table 340. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99

Pikspam

Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.

The tag is: misp-galaxy:android="Pikspam"

Table 341. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99

Pincer

Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pincer"

Table 342. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99

Pirator

Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Pirator"

Table 343. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99

Pjapps

Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.

The tag is: misp-galaxy:android="Pjapps"

Table 344. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99

Pjapps.B

Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pjapps.B"

Table 345. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99

Pletora

Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.

The tag is: misp-galaxy:android="Pletora"

Table 346. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99

Poisoncake

Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.

The tag is: misp-galaxy:android="Poisoncake"

Table 347. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99

Pontiflex

Pontiflex is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pontiflex"

Table 348. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99

Positmob

Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.

The tag is: misp-galaxy:android="Positmob"

Table 349. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99

Premiumtext

Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.

The tag is: misp-galaxy:android="Premiumtext"

Table 350. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99

Pris

Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.

The tag is: misp-galaxy:android="Pris"

Table 351. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99

Qdplugin

Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Qdplugin"

Table 352. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99

Qicsomos

Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Qicsomos"

Table 353. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99

Qitmo

Qitmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Qitmo"

Table 354. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99

Rabbhome

Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Rabbhome"

Table 355. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99

Repane

Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.

The tag is: misp-galaxy:android="Repane"

Table 356. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99

Reputation.1

Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.1"

Table 357. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99

Reputation.2

Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.2"

Table 358. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99

Reputation.3

Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.3"

Table 359. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99

RevMob

RevMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="RevMob"

Table 360. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99

Roidsec

Roidsec is a Trojan horse for Android devices that steals confidential information.

The tag is: misp-galaxy:android="Roidsec"

Table 361. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99

Rootcager

Rootcager is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Rootcager"

Table 362. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99

Rootnik

Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.

The tag is: misp-galaxy:android="Rootnik"

View relationships graph

Rootnik has relationships with:

similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"

Table 363. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99

Rufraud

Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Rufraud"

Table 364. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99

Rusms

Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Rusms"

Table 365. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99

Samsapo

Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.

The tag is: misp-galaxy:android="Samsapo"

Table 366. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99

Sandorat

Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.

The tag is: misp-galaxy:android="Sandorat"

Table 367. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99

Sberick

Sberick is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sberick"

Table 368. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99

Scartibro

Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.

The tag is: misp-galaxy:android="Scartibro"

Table 369. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99

Scipiex

Scipiex is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Scipiex"

Table 370. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99

Selfmite

Selfmite is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite"

Table 371. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99

Selfmite.B

Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite.B"

Table 372. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99

SellARing

SellARing is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SellARing"

Table 373. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99

SendDroid

SendDroid is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SendDroid"

Table 374. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99

Simhosy

Simhosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Simhosy"

Table 375. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99

Simplocker

Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker"

Table 376. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99

Simplocker.B

Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker.B"

Table 377. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99

Skullkey

Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.

The tag is: misp-galaxy:android="Skullkey"

Table 378. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99

Smaato

Smaato is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Smaato"

Table 379. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99

Smbcheck

Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.

The tag is: misp-galaxy:android="Smbcheck"

Table 380. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99

Smsblocker

Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.

The tag is: misp-galaxy:android="Smsblocker"

Table 381. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99

Smsbomber

Smsbomber is a program that can be used to send messages to contacts on the device.

The tag is: misp-galaxy:android="Smsbomber"

Table 382. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99

Smslink

Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.

The tag is: misp-galaxy:android="Smslink"

Table 383. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99

Smspacem

Smspacem is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="Smspacem"

Table 384. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99

SMSReplicator

SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.

The tag is: misp-galaxy:android="SMSReplicator"

Table 385. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99

Smssniffer

Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.

The tag is: misp-galaxy:android="Smssniffer"

Table 386. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99

Smsstealer

Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smsstealer"

Table 387. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99

Smstibook

Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Smstibook"

Table 388. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99

Smszombie

Smszombie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smszombie"

Table 389. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99

Snadapps

Snadapps is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Snadapps"

Table 390. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99

Sockbot

Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.

The tag is: misp-galaxy:android="Sockbot"

Table 391. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99

Sockrat

Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Sockrat"

View relationships graph

Sockrat has relationships with:

similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 392. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99

Sofacy

Sofacy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sofacy"

View relationships graph

Sofacy has relationships with:

similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

Table 393. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99

Sosceo

Sosceo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Sosceo"

Table 394. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99

Spitmo

Spitmo is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Spitmo"

Table 395. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99

Spitmo.B

Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spitmo.B"

Table 396. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99

Spyagent

Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Spyagent"

Table 397. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99

Spybubble

Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Spybubble"

Table 398. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99

Spydafon

Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="Spydafon"

Table 399. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99

Spymple

Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Spymple"

Table 400. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99

Spyoo

Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spyoo"

Table 401. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99

Spytekcell

Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytekcell"

Table 402. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99

Spytrack

Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytrack"

Table 403. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99

Spywaller

Spywaller is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spywaller"

Table 404. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99

Stealthgenie

Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Stealthgenie"

Table 405. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99

Steek

Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.

The tag is: misp-galaxy:android="Steek"

Table 406. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99

Stels

Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Stels"

Table 407. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99

Stiniter

Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Stiniter"

Table 408. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99

Sumzand

Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Sumzand"

Table 409. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99

Sysecsms

Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sysecsms"

Table 410. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99

Tanci

Tanci is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tanci"

Table 411. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99

Tapjoy

Tapjoy is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tapjoy"

Table 412. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99

Tapsnake

Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.

The tag is: misp-galaxy:android="Tapsnake"

Table 413. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99

Tascudap

Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

The tag is: misp-galaxy:android="Tascudap"

Table 414. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99

Teelog

Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Teelog"

Table 415. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99

Temai

Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.

The tag is: misp-galaxy:android="Temai"

Table 416. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99

Tetus

Tetus is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Tetus"

Table 417. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99

Tgpush

Tgpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tgpush"

Table 418. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99

Tigerbot

Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Tigerbot"

Table 419. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99

Tonclank

Tonclank is a Trojan horse that steals information and may open a back door on Android devices.

The tag is: misp-galaxy:android="Tonclank"

Table 420. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99

Trogle

Trogle is a worm for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Trogle"

Table 421. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99

Twikabot

Twikabot is a Trojan horse for Android devices that attempts to steal information.

The tag is: misp-galaxy:android="Twikabot"

Table 422. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99

Uapush

Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Uapush"

Table 423. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99

Umeng

Umeng is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Umeng"

Table 424. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99

Updtbot

Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.

The tag is: misp-galaxy:android="Updtbot"

Table 425. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99

Upush

Upush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Upush"

Table 426. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99

Uracto

Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.

The tag is: misp-galaxy:android="Uracto"

Table 427. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99

Uranico

Uranico is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Uranico"

Table 428. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99

Usbcleaver

Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Usbcleaver"

Table 429. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Utchi

Utchi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Utchi"

Table 430. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99

Uten

Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.

The tag is: misp-galaxy:android="Uten"

Table 431. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99

Uupay

Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.

The tag is: misp-galaxy:android="Uupay"

Table 432. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99

Uxipp

Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Uxipp"

Table 433. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99

Vdloader

Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.

The tag is: misp-galaxy:android="Vdloader"

Table 434. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99

VDopia

VDopia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VDopia"

Table 435. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99

Virusshield

Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.

The tag is: misp-galaxy:android="Virusshield"

Table 436. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99

VServ

VServ is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VServ"

Table 437. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99

Walkinwat

Walkinwat is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Walkinwat"

Table 438. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99

Waps

Waps is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waps"

Table 439. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99

Waren

Waren is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waren"

Table 440. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99

Windseeker

Windseeker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Windseeker"

Table 441. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99

Wiyun

Wiyun is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wiyun"

Table 442. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99

Wooboo

Wooboo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wooboo"

Table 443. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99

Wqmobile

Wqmobile is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wqmobile"

Table 444. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99

YahooAds

YahooAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YahooAds"

Table 445. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99

Yatoot

Yatoot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Yatoot"

Table 446. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99

Yinhan

Yinhan is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Yinhan"

Table 447. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99

Youmi

Youmi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Youmi"

Table 448. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99

YuMe

YuMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YuMe"

Table 449. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99

Zeahache

Zeahache is a Trojan horse that elevates privileges on the compromised device.

The tag is: misp-galaxy:android="Zeahache"

Table 450. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99

ZertSecurity

ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.

The tag is: misp-galaxy:android="ZertSecurity"

Table 451. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99

ZestAdz

ZestAdz is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ZestAdz"

Table 452. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99

Zeusmitmo

Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Zeusmitmo"

Table 453. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99

SLocker

The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.

The tag is: misp-galaxy:android="SLocker"

SLocker is also known as:

SMSLocker

Table 454. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/
http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/

Loapi

A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.

The tag is: misp-galaxy:android="Loapi"

Table 455. Table References
Links
https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/

Podec

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

The tag is: misp-galaxy:android="Podec"

Table 456. Table References
Links
https://securelist.com/sms-trojan-bypasses-captcha/69169//

Chamois

Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.

The tag is: misp-galaxy:android="Chamois"

Table 457. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html

IcicleGum

IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.

The tag is: misp-galaxy:android="IcicleGum"

View relationships graph

IcicleGum has relationships with:

similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"

Table 458. Table References
Links
https://blog.lookout.com/igexin-malicious-sdk
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

BreadSMS

BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.

The tag is: misp-galaxy:android="BreadSMS"

Table 459. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

JamSkunk

JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.

The tag is: misp-galaxy:android="JamSkunk"

Table 460. Table References
Links
https://blog.fosec.vn/malicious-applications-stayed-at-google-appstore-for-months-d8834ff4de59
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Expensive Wall

Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.

The tag is: misp-galaxy:android="Expensive Wall"

Table 461. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

BambaPurple

BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.

The tag is: misp-galaxy:android="BambaPurple"

Table 462. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

KoreFrog

KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.

The tag is: misp-galaxy:android="KoreFrog"

Table 463. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Gaiaphish

Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)

The tag is: misp-galaxy:android="Gaiaphish"

Table 464. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

RedDrop

RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.

The tag is: misp-galaxy:android="RedDrop"

Table 465. Table References
Links
https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/

HenBox

HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The tag is: misp-galaxy:android="HenBox"

Table 466. Table References
Links
https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/

MysteryBot

Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

The tag is: misp-galaxy:android="MysteryBot"

View relationships graph

MysteryBot has relationships with:

similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"

Table 467. Table References
Links
https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

Skygofree

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.

The tag is: misp-galaxy:android="Skygofree"

View relationships graph

Skygofree has relationships with:

similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"

Table 468. Table References
Links
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

BusyGasper

A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.

The tag is: misp-galaxy:android="BusyGasper"

Table 469. Table References
Links
https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/

Triout

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

The tag is: misp-galaxy:android="Triout"

Table 470. Table References
Links
https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/

AndroidOS_HidenAd

active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store

The tag is: misp-galaxy:android="AndroidOS_HidenAd"

AndroidOS_HidenAd is also known as:

AndroidOS_HiddenAd

Table 471. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/

Razdel

The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.

The tag is: misp-galaxy:android="Razdel"

Table 472. Table References
Links
http://www.virusremovalguidelines.com/tag/what-is-bankbot
https://mobile.twitter.com/pr3wtd/status/1097477833625088000

Vulture

Vulture is an Android banking trojan found in Google Play by ThreatFabric. It uses screen recording and keylogging as main strategy to harvest login credentials.

The tag is: misp-galaxy:android="Vulture"

Table 473. Table References
Links
https://www.threatfabric.com/blogs/vultur-v-for-vnc.html
https://twitter.com/icebre4ker/status/1485651238175846400

Anubis

Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.

The tag is: misp-galaxy:android="Anubis"

Table 474. Table References
Links
https://securityintelligence.com/anubis-strikes-again-mobile-malware-continues-to-plague-users-in-official-app-stores/

GodFather

The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. Group-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.

The tag is: misp-galaxy:android="GodFather"

View relationships graph

GodFather has relationships with:

successor-of: misp-galaxy:android="Anubis" with estimative-language:likelihood-probability="likely"

Table 475. Table References
Links
https://blog.group-ib.com/godfather-trojan

Coper

Octo, also known as Coper or ExobotCompact, is an Android banking Trojan that evolved from the Exobot malware family, first observed in 2016. Initially based on the Marcher Trojan, Exobot targeted financial institutions globally until 2018, when a lighter version, ExobotCompact, emerged. By 2021, a new variant appeared, named Coper by some antivirus vendors, but later renamed as Octo — a rebranded and enhanced ExobotCompact. In 2024, Octo2, an even more advanced iteration, was released, driven partly by the leak of Octo’s source code. The Malware-as-a-Service (MaaS) model makes Octo accessible to even novice cybercriminals.

The tag is: misp-galaxy:android="Coper"

Coper is also known as:

ExobotCompact
OCTO
Octo2

View relationships graph

Coper has relationships with:

similar: misp-galaxy:malpedia="Coper" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:malpedia="ExoBot" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:android="ExoBot" with estimative-language:likelihood-probability="likely"

Table 476. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper
https://x.com/cleafylabs/status/1833145006585987374
https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/
https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html
https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html
https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/
https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/
https://blog.cyble.com/2022/03/24/coper-banking-trojan/
https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant
https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html
https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace
https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/
https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs
https://twitter.com/icebre4ker/status/1541875982684094465
https://www.domaintools.com/resources/blog/uncovering-octo2-domains/
https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://any.run/malware-trends/Octo/

ExoBot

an Android banking trojan that went inactive, and its source code leaked.

The tag is: misp-galaxy:android="ExoBot"

View relationships graph

ExoBot has relationships with:

similar: misp-galaxy:malpedia="ExoBot" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:malpedia="Coper" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:android="Coper" with estimative-language:likelihood-probability="likely"

Table 477. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot
https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html
https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/
https://blog.cyble.com/2022/03/24/coper-banking-trojan/
https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/
https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/
https://any.run/malware-trends/Octo/

Azure Threat Research Matrix

The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse..

Azure Threat Research Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: AlertIQ - Craig Fretwell - Dor Edry - Jonny Johnson - Karl Fosaaen - MITRE ATT&CK - Manuel Berrueta - Microsoft - Nestori Syynimaa - Nikhil Mittal - Ram Pliskin - Roberto Rodriguez - Ryan Cobb

AZT101 - Port Mapping

It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface’s assigned Network Security Group

The tag is: misp-galaxy:atrm="AZT101 - Port Mapping"

Table 478. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101

AZT102 - IP Discovery

It is possible to view the IP address on a resource by viewing the Virtual Network Interface

The tag is: misp-galaxy:atrm="AZT102 - IP Discovery"

Table 479. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102

AZT103 - Public Accessible Resource

A resource within Azure is accessible from the public internet.

The tag is: misp-galaxy:atrm="AZT103 - Public Accessible Resource"

Table 480. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103

AZT104 - Gather User Information

An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user’s roles and group memberships within AAD.

The tag is: misp-galaxy:atrm="AZT104 - Gather User Information"

Table 481. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104

AZT105 - Gather Application Information

An adversary may obtain information about an application within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT105 - Gather Application Information"

Table 482. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105

AZT106 - Gather Role Information

An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.

The tag is: misp-galaxy:atrm="AZT106 - Gather Role Information"

Table 483. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106

AZT106.1 - Gather AAD Role Information

An adversary may gather role assignments within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT106.1 - Gather AAD Role Information"

Table 484. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1

AZT106.2 - Gather Application Role Information

An adversary may gather information about an application role & it’s member assignments within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT106.2 - Gather Application Role Information"

Table 485. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2

AZT106.3 - Gather Azure Resources Role Assignments

An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.

The tag is: misp-galaxy:atrm="AZT106.3 - Gather Azure Resources Role Assignments"

Table 486. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3

AZT107 - Gather Resource Data

An adversary may obtain information and data within a resource.

The tag is: misp-galaxy:atrm="AZT107 - Gather Resource Data"

Table 487. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107

AZT108 - Gather Victim Data

An adversary may access a user’s personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.

The tag is: misp-galaxy:atrm="AZT108 - Gather Victim Data"

Table 488. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108

AZT201 - Valid Credentials

Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.

The tag is: misp-galaxy:atrm="AZT201 - Valid Credentials"

Table 489. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201

AZT201.1 - User Account

By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.

The tag is: misp-galaxy:atrm="AZT201.1 - User Account"

Table 490. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1

AZT201.2 - Service Principal

By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.

The tag is: misp-galaxy:atrm="AZT201.2 - Service Principal"

Table 491. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2

AZT202 - Password Spraying

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

The tag is: misp-galaxy:atrm="AZT202 - Password Spraying"

Table 492. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202

AZT203 - Malicious Application Consent

An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.

The tag is: misp-galaxy:atrm="AZT203 - Malicious Application Consent"

Table 493. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203

AZT301 - Virtual Machine Scripting

Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.

The tag is: misp-galaxy:atrm="AZT301 - Virtual Machine Scripting"

Table 494. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301

AZT301.1 - RunCommand

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.

The tag is: misp-galaxy:atrm="AZT301.1 - RunCommand"

Table 495. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1

AZT301.2 - CustomScriptExtension

By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.2 - CustomScriptExtension"

Table 496. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2

AZT301.3 - Desired State Configuration

By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.3 - Desired State Configuration"

Table 497. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3

AZT301.4 - Compute Gallery Application

By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.4 - Compute Gallery Application"

Table 498. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4

AZT301.5 - AKS Command Invoke

By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster’s VM as SYSTEM

The tag is: misp-galaxy:atrm="AZT301.5 - AKS Command Invoke"

Table 499. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5

AZT301.6 - Vmss Run Command

By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.

The tag is: misp-galaxy:atrm="AZT301.6 - Vmss Run Command"

Table 500. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6

AZT301.7 - Serial Console

By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.

The tag is: misp-galaxy:atrm="AZT301.7 - Serial Console"

Table 501. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7

AZT302 - Serverless Scripting

Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.

The tag is: misp-galaxy:atrm="AZT302 - Serverless Scripting"

Table 502. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302

AZT302.1 - Automation Account Runbook Hybrid Worker Group

By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.

The tag is: misp-galaxy:atrm="AZT302.1 - Automation Account Runbook Hybrid Worker Group"

Table 503. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1

AZT302.2 - Automation Account Runbook RunAs Account

By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.

The tag is: misp-galaxy:atrm="AZT302.2 - Automation Account Runbook RunAs Account"

Table 504. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2

AZT302.3 - Automation Account Runbook Managed Identity

By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.

The tag is: misp-galaxy:atrm="AZT302.3 - Automation Account Runbook Managed Identity"

Table 505. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3

AZT302.4 - Function Application

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT302.4 - Function Application"

Table 506. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4

AZT303 - Managed Device Scripting

Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.

The tag is: misp-galaxy:atrm="AZT303 - Managed Device Scripting"

Table 507. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303

AZT401 - Privileged Identity Management Role

An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).

The tag is: misp-galaxy:atrm="AZT401 - Privileged Identity Management Role"

Table 508. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401

AZT402 - Elevated Access Toggle

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

The tag is: misp-galaxy:atrm="AZT402 - Elevated Access Toggle"

Table 509. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402

AZT403 - Local Resource Hijack

By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.

The tag is: misp-galaxy:atrm="AZT403 - Local Resource Hijack"

Table 510. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1

AZT404 - Principal Impersonation

Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.

The tag is: misp-galaxy:atrm="AZT404 - Principal Impersonation"

Table 511. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404

AZT404.1 - Function Application

By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.1 - Function Application"

Table 512. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1

AZT404.2 - Logic Application

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.2 - Logic Application"

Table 513. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2

AZT404.3 - Automation Account

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.3 - Automation Account"

Table 514. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3

AZT404.4 - App Service

By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.4 - App Service"

Table 515. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4

AZT405 - Azure AD Application

Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.

The tag is: misp-galaxy:atrm="AZT405 - Azure AD Application"

Table 516. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405

AZT405.1 - Application API Permissions

By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.

The tag is: misp-galaxy:atrm="AZT405.1 - Application API Permissions"

Table 517. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1

AZT405.2 - Application Role

By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.

The tag is: misp-galaxy:atrm="AZT405.2 - Application Role"

Table 518. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2

AZT405.3 - Application Registration Owner

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

The tag is: misp-galaxy:atrm="AZT405.3 - Application Registration Owner"

Table 519. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3

AZT501 - Account Manipulation

An adverary may manipulate an account to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501 - Account Manipulation"

Table 520. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501

AZT501.1 - User Account Manipulation

An adverary may manipulate a user account to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501.1 - User Account Manipulation"

Table 521. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1

AZT501.2 - Service Principal Manipulation

An adverary may manipulate a service principal to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501.2 - Service Principal Manipulation"

Table 522. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2

AZT501.3 - Azure VM Local Administrator Manipulation

An adverary may manipulate the local admin account on an Azure VM

The tag is: misp-galaxy:atrm="AZT501.3 - Azure VM Local Administrator Manipulation"

Table 523. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3

AZT502 - Account Creation

An adversary may create an account in Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT502 - Account Creation"

Table 524. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502

AZT502.1 - User Account Creation

An adversary may create an application & service principal in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.1 - User Account Creation"

Table 525. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1

AZT502.2 - Service Principal Creation

An adversary may create an application & service principal in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.2 - Service Principal Creation"

Table 526. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2

AZT502.3 - Guest Account Creation

An adversary may create a guest account in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.3 - Guest Account Creation"

Table 527. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3

AZT503 - HTTP Trigger

Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.

The tag is: misp-galaxy:atrm="AZT503 - HTTP Trigger"

Table 528. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503

AZT503.1 - Logic Application HTTP Trigger

Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

The tag is: misp-galaxy:atrm="AZT503.1 - Logic Application HTTP Trigger"

Table 529. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1

AZT503.2 - Function App HTTP Trigger

Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

The tag is: misp-galaxy:atrm="AZT503.2 - Function App HTTP Trigger"

Table 530. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2

AZT503.3 - Runbook Webhook

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

The tag is: misp-galaxy:atrm="AZT503.3 - Runbook Webhook"

Table 531. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3

AZT503.4 - WebJob

Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule

The tag is: misp-galaxy:atrm="AZT503.4 - WebJob"

Table 532. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4

AZT504 - Watcher Tasks

By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.

The tag is: misp-galaxy:atrm="AZT504 - Watcher Tasks"

Table 533. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504

AZT505 - Scheduled Jobs

Adversaries may create a schedule for a Runbook to run at a defined interval.

The tag is: misp-galaxy:atrm="AZT505 - Scheduled Jobs"

Table 534. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1

AZT506 - Network Security Group Modification

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

The tag is: misp-galaxy:atrm="AZT506 - Network Security Group Modification"

Table 535. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506

AZT507 - External Entity Access

Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.

The tag is: misp-galaxy:atrm="AZT507 - External Entity Access"

Table 536. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507

AZT507.1 - Azure Lighthouse

Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant

The tag is: misp-galaxy:atrm="AZT507.1 - Azure Lighthouse"

Table 537. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1

AZT507.2 - Microsoft Partners

Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.

The tag is: misp-galaxy:atrm="AZT507.2 - Microsoft Partners"

Table 538. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2

AZT507.3 - Subscription Hijack

An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.

The tag is: misp-galaxy:atrm="AZT507.3 - Subscription Hijack"

Table 539. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3

AZT507.4 - Domain Trust Modification

An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.

The tag is: misp-galaxy:atrm="AZT507.4 - Domain Trust Modification"

Table 540. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4

AZT508 - Azure Policy

By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.

The tag is: misp-galaxy:atrm="AZT508 - Azure Policy"

Table 541. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508

AZT601 - Steal Managed Identity JsonWebToken

An adverary may utilize the resource’s functionality to obtain a JWT for the applied Managed Identity Service Principal account.

The tag is: misp-galaxy:atrm="AZT601 - Steal Managed Identity JsonWebToken"

Table 542. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601

AZT601.1 - Virtual Machine IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.

The tag is: misp-galaxy:atrm="AZT601.1 - Virtual Machine IMDS Request"

Table 543. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1

AZT601.2 - Azure Kubernetes Service IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.

The tag is: misp-galaxy:atrm="AZT601.2 - Azure Kubernetes Service IMDS Request"

Table 544. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2

AZT601.3 - Logic Application JWT PUT Request

If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.3 - Logic Application JWT PUT Request"

Table 545. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3

AZT601.4 - Function Application JWT GET Request

If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.4 - Function Application JWT GET Request"

Table 546. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4

AZT601.5 - Automation Account Runbook

If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.5 - Automation Account Runbook"

Table 547. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5

AZT602 - Steal Service Principal Certificate

If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.

The tag is: misp-galaxy:atrm="AZT602 - Steal Service Principal Certificate"

Table 548. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1

AZT603 - Service Principal Secret Reveal

If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal’s secret in plain text.

The tag is: misp-galaxy:atrm="AZT603 - Service Principal Secret Reveal"

Table 549. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1

AZT604 - Azure KeyVault Dumping

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

The tag is: misp-galaxy:atrm="AZT604 - Azure KeyVault Dumping"

Table 550. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604

AZT604.1 - Azure KeyVault Secret Dump

By accessing an Azure Key Vault, an adversary may dump any or all secrets.

The tag is: misp-galaxy:atrm="AZT604.1 - Azure KeyVault Secret Dump"

Table 551. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1

AZT604.2 - Azure KeyVault Certificate Dump

By accessing an Azure Key Vault, an adversary may dump any or all certificates.

The tag is: misp-galaxy:atrm="AZT604.2 - Azure KeyVault Certificate Dump"

Table 552. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2

AZT604.3 - Azure KeyVault Key Dump

By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.

The tag is: misp-galaxy:atrm="AZT604.3 - Azure KeyVault Key Dump"

Table 553. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3

AZT605 - Resource Secret Reveal

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

The tag is: misp-galaxy:atrm="AZT605 - Resource Secret Reveal"

Table 554. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605

AZT605.1 - Storage Account Access Key Dumping

By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.

The tag is: misp-galaxy:atrm="AZT605.1 - Storage Account Access Key Dumping"

Table 555. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1

AZT605.2 - Automation Account Credential Secret Dump

By editing a Runbook, a credential configured in an Automation Account may be revealed

The tag is: misp-galaxy:atrm="AZT605.2 - Automation Account Credential Secret Dump"

Table 556. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2

AZT605.3 - Resource Group Deployment History Secret Dump

By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.

The tag is: misp-galaxy:atrm="AZT605.3 - Resource Group Deployment History Secret Dump"

Table 557. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3

AZT701 - SAS URI Generation

By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.

The tag is: misp-galaxy:atrm="AZT701 - SAS URI Generation"

Table 558. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701

AZT701.1 - VM Disk SAS URI

An adversary may create an SAS URI to download the disk attached to a virtual machine.

The tag is: misp-galaxy:atrm="AZT701.1 - VM Disk SAS URI"

Table 559. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1

AZT701.2 - Storage Account File Share SAS

By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.

The tag is: misp-galaxy:atrm="AZT701.2 - Storage Account File Share SAS"

Table 560. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2

AZT702 - File Share Mounting

An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.

The tag is: misp-galaxy:atrm="AZT702 - File Share Mounting"

Table 561. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1

AZT703 - Replication

The tag is: misp-galaxy:atrm="AZT703 - Replication"

Table 562. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1

AZT704 - Soft-Delete Recovery

An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted

The tag is: misp-galaxy:atrm="AZT704 - Soft-Delete Recovery"

Table 563. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704

AZT704.1 - Key Vault

An adversary may recover a key vault object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.1 - Key Vault"

Table 564. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1

AZT704.2 - Storage Account Object

An adversary may recover a storage account object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.2 - Storage Account Object"

Table 565. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2

AZT704.3 - Recovery Services Vault

An adversary may recover a virtual machine object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.3 - Recovery Services Vault"

Table 566. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3

AZT705 - Azure Backup Delete

An adversary may recover a virtual machine object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT705 - Azure Backup Delete"

Table 567. Table References
Links
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3

attck4fraud

attck4fraud - Principles of MITRE ATT&CK in the fraud domain.

attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Francesco Bigarella - Christophe Vandeplas

Phishing

In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.

The tag is: misp-galaxy:financial-fraud="Phishing"

Table 568. Table References
Links
https://blog.malwarebytes.com/cybercrime/2015/02/amazon-notice-ticket-number-phish-seeks-card-details/
https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Spear phishing

Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.

The tag is: misp-galaxy:financial-fraud="Spear phishing"

Spear phishing is also known as:

Spear-phishing

Table 569. Table References
Links
http://fortune.com/2017/04/27/facebook-google-rimasauskas/
https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM skimming

ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.

The tag is: misp-galaxy:financial-fraud="ATM skimming"

ATM skimming is also known as:

Skimming - CPP ATM

Table 570. Table References
Links
https://krebsonsecurity.com/2015/07/spike-in-atm-skimming-in-mexico/
https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-skimmer/
https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/
https://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/
https://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/
https://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/
https://krebsonsecurity.com/2011/03/green-skimmers-skimming-green
https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM cash trapping

Trap the cash dispenser with a physical component. Type 1 are visible to the user and type 2 are hidden in the cash dispenser

The tag is: misp-galaxy:financial-fraud="ATM cash trapping"

ATM cash trapping is also known as:

Cash Trapping

Table 571. Table References
Links
https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM Shimming

ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.

The tag is: misp-galaxy:financial-fraud="ATM Shimming"

Table 572. Table References
Links
https://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/
https://www.cbc.ca/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438
https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/
https://blog.dieboldnixdorf.com/atm-security-skimming-vs-shimming/

Vishing

Also known as voice phishing, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organisation.

The tag is: misp-galaxy:financial-fraud="Vishing"

Table 573. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

POS Skimming

CPP analysis identifies the likely merchant, POS or ATM location from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.

The tag is: misp-galaxy:financial-fraud="POS Skimming"

POS Skimming is also known as:

Skimming - CPP POS

Table 574. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Social Media Scams

The tag is: misp-galaxy:financial-fraud="Social Media Scams"

Malware

Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.

The tag is: misp-galaxy:financial-fraud="Malware"

Table 575. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Account-Checking Services

The tag is: misp-galaxy:financial-fraud="Account-Checking Services"

ATM Black Box Attack

Type of Jackpotting attack. Connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser in order to “cash out” the ATM.

The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"

ATM Black Box Attack is also known as:

Black Box Attack

Table 576. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Insider Trading

The tag is: misp-galaxy:financial-fraud="Insider Trading"

Investment Fraud

A deceptive practice in the stock or commodities markets that induces investors to make purchase or sale decisions on the basis of false information, frequently resulting in losses, in violation of securities laws.

The tag is: misp-galaxy:financial-fraud="Investment Fraud"

Table 577. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Romance Scam

Romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to commit fraud. Fraudulent acts may involve access to the victim’s money, bank accounts, credit cards, passports, e-mail accounts, or national identification numbers; or forcing the victims to commit financial fraud on their behalf.

The tag is: misp-galaxy:financial-fraud="Romance Scam"

Romance Scam is also known as:

Romance Fraud

Table 578. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Buying/Renting Fraud

The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"

Cash Recovery Scam

The tag is: misp-galaxy:financial-fraud="Cash Recovery Scam"

Fake Invoice Fraud

Invoice fraud happens when a company or organisation is tricked into changing bank account payee details for a payment. Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed or emit false invoices.

The tag is: misp-galaxy:financial-fraud="Fake Invoice Fraud"

Fake Invoice Fraud is also known as:

Invoice Fraud

Table 579. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Business Email Compromise

The tag is: misp-galaxy:financial-fraud="Business Email Compromise"

Scam

The tag is: misp-galaxy:financial-fraud="Scam"

CxO Fraud

The tag is: misp-galaxy:financial-fraud="CxO Fraud"

Compromised Payment Cards

The loss of or theft of a card, which is subsequently used for illegal purposes until blocked by the card issuer.

The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"

Compromised Payment Cards is also known as:

Lost/Stolen Card

Table 580. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Compromised Account Credentials

Account takeover fraud is a form of identity theft in which the fraudster gets access to a victim’s bank or credit card accounts — through a data breach, malware or phishing — and uses them to make unauthorised transaction.

The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"

Compromised Account Credentials is also known as:

Account Takeover Fraud

Table 581. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Compromised Personally Identifiable Information (PII)

The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"

Compromised Intellectual Property (IP)

The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"

SWIFT Transaction

The tag is: misp-galaxy:financial-fraud="SWIFT Transaction"

Fund Transfer

The tag is: misp-galaxy:financial-fraud="Fund Transfer"

Cryptocurrency Exchange

The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"

ATM Jackpotting

The tag is: misp-galaxy:financial-fraud="ATM Jackpotting"

Money Mules

The tag is: misp-galaxy:financial-fraud="Money Mules"

Prepaid Cards

The tag is: misp-galaxy:financial-fraud="Prepaid Cards"

Resell Stolen Data

The tag is: misp-galaxy:financial-fraud="Resell Stolen Data"

ATM Explosive Attack

The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"

CNP – Card Not Present

A card not present transaction (CNP, MO/TO, Mail Order / Telephone Order, MOTOEC) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant’s visual examination at the time that an order is given and payment effected

The tag is: misp-galaxy:financial-fraud="CNP – Card Not Present"

Table 582. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

CP – Card Present

A card present transaction occurs when a cardholder physically presents a card to request and authorise a financial transaction

The tag is: misp-galaxy:financial-fraud="CP – Card Present"

Table 583. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Merchant Fraud

Fraud that occurs when a merchant account is used without the intention of operating a legitimate business transaction.

The tag is: misp-galaxy:financial-fraud="Merchant Fraud"

Table 584. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Virtual Currency Fraud

Fraud that involves virtual currency, or virtual money, which is a type of unregulated, digital money, issued and usually controlled by its developers and used and accepted among the members of a specific virtual community.

The tag is: misp-galaxy:financial-fraud="Virtual Currency Fraud"

Table 585. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Cheque Fraud

A category of criminal acts that involve making the unlawful use of cheques in order to illegally acquire or borrow funds that do not exist within the account balance or account-holder’s legal ownership. Most methods involve taking advantage the time between the negotiation of the cheque and its clearance at the cheque writer’s financial institution to draw out these funds.

The tag is: misp-galaxy:financial-fraud="Cheque Fraud"

Table 586. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Digital Fraud

Fraud perpetrated via omni- channel means to digital banking or payments channels such as home banking or other electronic services.

The tag is: misp-galaxy:financial-fraud="Digital Fraud"

Table 587. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Mobile Fraud

Fraud perpetrated via mobile devices to digital banking, payments channels such as home banking or other electronic services, or online merchants

The tag is: misp-galaxy:financial-fraud="Mobile Fraud"

Table 588. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Telephone Fraud

Fraud perpetrated via land line telephone means to banking or payments channels such as home banking or other electronic services or merchants

The tag is: misp-galaxy:financial-fraud="Telephone Fraud"

Table 589. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Standing Order Fraud

Fraud occurs when a standing order is falsely created or adulterated. A standing order is an automated method of making payments, where a person or business instructs their bank to pay another person or business, a fixed amount of money at regular intervals. Fraud occurs when a standing order is falsely created or adulterated.

The tag is: misp-galaxy:financial-fraud="Standing Order Fraud"

Table 590. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

CEO/BEC Fraud

A scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential information

The tag is: misp-galaxy:financial-fraud="CEO/BEC Fraud"

Table 591. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Money laundering

An illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. The overall scheme of this process returns the money to the launderer in an obscure and indirect way.

The tag is: misp-galaxy:financial-fraud="Money laundering"

Table 592. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

BIN Attack

Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers

The tag is: misp-galaxy:financial-fraud="BIN Attack"

Table 593. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

DoS - Denial of Service Attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet

The tag is: misp-galaxy:financial-fraud="DoS - Denial of Service Attack"

Table 594. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

MITM - Man-in-the-Middle Attack

In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other

The tag is: misp-galaxy:financial-fraud="MITM - Man-in-the-Middle Attack"

Table 595. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Transaction Reversal Fraud

Unauthorized physical manipulation of ATM cash withdrawal. Appears that cash has not been dispensed – a reversal message generated – SEE FULL TERMINAL FRAUD DEFINITION

The tag is: misp-galaxy:financial-fraud="Transaction Reversal Fraud"

Table 596. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Transaction Message Adulteration

The data contained in an authorisation message is manipulated to try to fool the payment processor.

The tag is: misp-galaxy:financial-fraud="Transaction Message Adulteration"

Table 597. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

First Party (Friendly) Fraud

Fraud committed against a financial institution by one of its own customers

The tag is: misp-galaxy:financial-fraud="First Party (Friendly) Fraud"

Table 598. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Identity Spoofing (or entity hacking)

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity

The tag is: misp-galaxy:financial-fraud="Identity Spoofing (or entity hacking)"

Table 599. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Authorised Push Payment Fraud

A form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation.

The tag is: misp-galaxy:financial-fraud="Authorised Push Payment Fraud"

Table 600. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Direct Debit Fraud

Direct debit fraud can take place in several ways. It is often associated with identity theft, where the scammer gains access to the bank account information by posing as the victim. They can pay for services and products via a direct debit option and use this account until its owner notices.

The tag is: misp-galaxy:financial-fraud="Direct Debit Fraud"

Table 601. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Extortion

Obtaining benefit through coercion

The tag is: misp-galaxy:financial-fraud="Extortion"

Table 602. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Smishing

Also known as "SMS Phishing", is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver information and/or requests to induce people to divulge or to take action that will compromise their personal or confidential information.

The tag is: misp-galaxy:financial-fraud="Smishing"

Table 603. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Shoulder Surfing

Technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder

The tag is: misp-galaxy:financial-fraud="Shoulder Surfing"

Table 604. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Distraction

The process of diverting the attention of an individual or group from a desired area of focus and thereby blocking or diminishing the reception of desired information.

The tag is: misp-galaxy:financial-fraud="Distraction"

Table 605. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Push Payments

Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.

The tag is: misp-galaxy:financial-fraud="Push Payments"

Table 606. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

ATM Malware

Unauthorised software, or authorises software run in an unauthorized manner on ATM PC - SEE FULL TERMINAL FRAUD DEFINITION

The tag is: misp-galaxy:financial-fraud="ATM Malware"

Table 607. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Data Breach

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used from a PC or Computer Network by an entity unauthorised to do so.

The tag is: misp-galaxy:financial-fraud="Data Breach"

Table 608. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Ransomware

A type of malicious software designed to block access to a computer system until a sum of money is paid

The tag is: misp-galaxy:financial-fraud="Ransomware"

Table 609. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Fake Website

A website that is not a legitimate venue, the site is designed to entice the visitor into revealing sensitive information, to download some form of malware or to purchase products that never arrive

The tag is: misp-galaxy:financial-fraud="Fake Website"

Table 610. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Fake App

Apps in mobile devices that trick users into downloading them. They may also pose as quirky and attractive apps, providing interesting services. Once installed on a mobile device, fake apps can perform a variety of malicious routines.

The tag is: misp-galaxy:financial-fraud="Fake App"

Table 611. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

e-Skimming

Cyber criminals introduce skimming code on e-commerce payment card processing web pages to capture credit card and personally identifiable information and send the stolen data to a domain under their control.

The tag is: misp-galaxy:financial-fraud="e-Skimming"

Table 612. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Skimming - CPP UPT

CPP analysis identifies Payment Terminal parking, transport, fuel, etc. locations, from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.

The tag is: misp-galaxy:financial-fraud="Skimming - CPP UPT"

Table 613. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Skimming - CPP Virtual Terminal

Same as e-Skimming

The tag is: misp-galaxy:financial-fraud="Skimming - CPP Virtual Terminal"

Table 614. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Card Trapping

Unauthorized physical ATM manipulation, preventing card from being returned to customer - SEE FULL TERMINAL FRAUD DEFINITION

The tag is: misp-galaxy:financial-fraud="Card Trapping"

Table 615. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Lack of Patching / Security

Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers. Lack of proper patching allows cyber criminals to exploit systems and networks.

The tag is: misp-galaxy:financial-fraud="Lack of Patching / Security"

Table 616. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Bad implementation

Process where an information system is deployed into a Production Environed with faults, errors or vulnerabilities

The tag is: misp-galaxy:financial-fraud="Bad implementation"

Table 617. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Deployment Error

Implementation of a system, solution or service not according to defined and tested best practices.

The tag is: misp-galaxy:financial-fraud="Deployment Error"

Table 618. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Merchant Negligence

Merchants not following best practice procedures to avoid criminal or fraudulent activity,

The tag is: misp-galaxy:financial-fraud="Merchant Negligence"

Table 619. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Implementation not according to Standards

Implementation of a sstem, solution or service not according to defined and tested standards

The tag is: misp-galaxy:financial-fraud="Implementation not according to Standards"

Table 620. Table References
Links
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/

Backdoor

A list of backdoor malware..

Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: raw-data

WellMess

Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.

The tag is: misp-galaxy:backdoor="WellMess"

View relationships graph

WellMess has relationships with:

similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"

Table 621. Table References
Links
https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html

Rosenbridge

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.

The tag is: misp-galaxy:backdoor="Rosenbridge"

Table 622. Table References
Links
https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/
https://github.com/xoreaxeaxeax/rosenbridge
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf

ServHelper

The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.

"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.

The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.

The tag is: misp-galaxy:backdoor="ServHelper"

Table 623. Table References
Links
https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/

Rising Sun

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

The tag is: misp-galaxy:backdoor="Rising Sun"

Table 624. Table References
Links
https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/

SLUB

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

The tag is: misp-galaxy:backdoor="SLUB"

View relationships graph

SLUB has relationships with:

similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"

Table 625. Table References
Links
https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/

Asruex

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.

The tag is: misp-galaxy:backdoor="Asruex"

Table 626. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/

FlowerPippi

The tag is: misp-galaxy:backdoor="FlowerPippi"

Table 627. Table References
Links
https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/

Speculoos

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

The tag is: misp-galaxy:backdoor="Speculoos"

View relationships graph

Speculoos has relationships with:

used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"

Table 628. Table References
Links
https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

Mori Backdoor

Mori Backdoor has been used by Seedworm.

The tag is: misp-galaxy:backdoor="Mori Backdoor"

Table 629. Table References
Links
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

BazarBackdoor

Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.

The tag is: misp-galaxy:backdoor="BazarBackdoor"

BazarBackdoor is also known as:

BEERBOT
KEGTAP
Team9Backdoor
bazaloader
bazarloader
bazaarloader

Table 630. Table References
Links
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/

SUNBURST

Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.

The tag is: misp-galaxy:backdoor="SUNBURST"

SUNBURST is also known as:

Solarigate

View relationships graph

SUNBURST has relationships with:

dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

Table 631. Table References
Links
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
https://blog.malwarebytes.com/detections/backdoor-sunburst/
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant

The tag is: misp-galaxy:backdoor="BPFDoor"

Table 632. Table References
Links
https://troopers.de/troopers22/talks/7cv8pz/
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?gi=1effe9eb6507
https://twitter.com/cyb3rops/status/1523227511551033349
https://twitter.com/CraigHRowland/status/1523266585133457408

BOLDMOVE

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).

The tag is: misp-galaxy:backdoor="BOLDMOVE"

Table 633. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove
https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

PowerMagic

The tag is: misp-galaxy:backdoor="PowerMagic"

Table 634. Table References
Links
https://securelist.com/bad-magic-apt/109087/

VEILEDSIGNAL

VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.

The tag is: misp-galaxy:backdoor="VEILEDSIGNAL"

Table 635. Table References
Links
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

POOLRAT

POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.

The tag is: misp-galaxy:backdoor="POOLRAT"

Table 636. Table References
Links
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

BIGRAISIN

BIGRAISIN is a C\C++ Windows based backdoor. It is capable of executing downloaded commands, executing downloaded files, and deleting files. Availability: Non-public

The tag is: misp-galaxy:backdoor="BIGRAISIN"

View relationships graph

BIGRAISIN has relationships with:

used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 637. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

FASTFIRE

FASTFIRE is a malicious APK that connects to a server and sends details of the compromised device back to command and control (C2). Availability: Non-public

The tag is: misp-galaxy:backdoor="FASTFIRE"

View relationships graph

FASTFIRE has relationships with:

used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 638. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

GRAYZONE

GRAYZONE is a C/C++ Windows backdoor capable of collecting system information, logging keystrokes, and downloading additional stages from the C2 server. Availability: Non-public

The tag is: misp-galaxy:backdoor="GRAYZONE"

View relationships graph

GRAYZONE has relationships with:

used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 639. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

HANGMAN.V2

HANGMAN.V2 is a variant of the backdoor HANGMAN. HANGMAN.V2 is very similar to HANGMAN, but uses HTTP for the network communications and formats data passed to the C2 server differently. Availability: Non-public

The tag is: misp-galaxy:backdoor="HANGMAN.V2"

View relationships graph

HANGMAN.V2 has relationships with:

variant-of: misp-galaxy:malpedia="HOPLIGHT" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 640. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

LOGCABIN

LOGCABIN is a file-less and modular backdoor with multiple stages. The stages consist of several VisualBasic and PowerShell scripts that are downloaded and executed. LOGCABIN collects detailed system information and sends it to the C2 before performing additional commands. Availability: Non-public

The tag is: misp-galaxy:backdoor="LOGCABIN"

View relationships graph

LOGCABIN has relationships with:

used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 641. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

SOURDOUGH

SOURDOUGH is a backdoor written in C that communicates via HTTP. Its capabilities include keylogging, screenshot capture, file transfer, file execution, and directory enumeration. Availability: Non-public

The tag is: misp-galaxy:backdoor="SOURDOUGH"

View relationships graph

SOURDOUGH has relationships with:

used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 642. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

TROIBOMB

TROIBOMB is a C/C++ Windows backdoor that is capable of collecting system information and performing commands from the C2 server. Availability: Non-public

The tag is: misp-galaxy:backdoor="TROIBOMB"

View relationships graph

TROIBOMB has relationships with:

used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"

Table 643. Table References
Links
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report

ZIPLINE

ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).

The tag is: misp-galaxy:backdoor="ZIPLINE"

Table 644. Table References
Links
https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation

SPAWNSNAIL

SPAWNSNAIL is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.

SPAWNSNAIL’s second purpose is to inject SPAWNSLOTH into dslogserver, a process supporting event logging on Connect Secure.

The tag is: misp-galaxy:backdoor="SPAWNSNAIL"

View relationships graph

SPAWNSNAIL has relationships with:

used-by: misp-galaxy:threat-actor="UNC5337" with estimative-language:likelihood-probability="likely"
preceded-by: misp-galaxy:tool="SPAWNANT" with estimative-language:likelihood-probability="likely"
interacts-with: misp-galaxy:tool="SPAWNMOLE" with estimative-language:likelihood-probability="likely"
injects: misp-galaxy:tool="SPAWNSLOTH" with estimative-language:likelihood-probability="likely"

Table 645. Table References
Links
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

BRICKSTORM

BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.

The tag is: misp-galaxy:backdoor="BRICKSTORM"

View relationships graph

BRICKSTORM has relationships with:

used-by: misp-galaxy:threat-actor="UTA0178" with estimative-language:likelihood-probability="likely"

Table 646. Table References
Links
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

PHANTOMNET

PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET’s core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.

The tag is: misp-galaxy:backdoor="PHANTOMNET"

View relationships graph

PHANTOMNET has relationships with:

is-deployed-by: misp-galaxy:threat-actor="UNC5330" with estimative-language:likelihood-probability="likely"
executed-by: misp-galaxy:tool="TONERJAM" with estimative-language:likelihood-probability="likely"

Table 647. Table References
Links
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

TERRIBLETEA

TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including Command execution, Keystroke logging, SOCKS5 proxy, Port scanning, File system interaction, SQL query execution, Screen captures, Ability to open a new SSH session, execute commands, and upload files to a remote server.

The tag is: misp-galaxy:backdoor="TERRIBLETEA"

View relationships graph

TERRIBLETEA has relationships with:

is-deployed-by : misp-galaxy:threat-actor="UNC5266" with estimative-language:likelihood-probability="likely"

Table 648. Table References
Links
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement

Merdoor

Merdoor is a fully-featured backdoor that appears to have been in existence since 2018. The backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands Instances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory Typically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.

The tag is: misp-galaxy:backdoor="Merdoor"

Table 649. Table References
Links
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor

Banker

A list of banker malware..

Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown - raw-data

Zeus

Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.

The tag is: misp-galaxy:banker="Zeus"

Zeus is also known as:

Zbot

View relationships graph

Zeus has relationships with:

similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 650. Table References
Links
https://usa.kaspersky.com/resource-center/threats/zeus-virus

Vawtrak

Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.

The tag is: misp-galaxy:banker="Vawtrak"

Vawtrak is also known as:

Neverquest

View relationships graph

Vawtrak has relationships with:

similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"

Table 651. Table References
Links
https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/
https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving
https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows
https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf

Dridex

Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

The tag is: misp-galaxy:banker="Dridex"

Dridex is also known as:

Feodo Version D
Cridex

View relationships graph

Dridex has relationships with:

similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"

Table 652. Table References
Links
https://blog.malwarebytes.com/detections/trojan-dridex/
https://feodotracker.abuse.ch/

Gozi

Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010

The tag is: misp-galaxy:banker="Gozi"

Gozi is also known as:

Ursnif
CRM
Snifula
Papras

View relationships graph

Gozi has relationships with:

similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

Table 653. Table References
Links
https://www.secureworks.com/research/gozi
https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007
https://lokalhost.pl/gozi_tree.txt

Goziv2

Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.

The tag is: misp-galaxy:banker="Goziv2"

Goziv2 is also known as:

Prinimalka

Table 654. Table References
Links
https://krebsonsecurity.com/tag/gozi-prinimalka/
https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/
https://lokalhost.pl/gozi_tree.txt

Gozi ISFB

Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.

The tag is: misp-galaxy:banker="Gozi ISFB"

View relationships graph

Gozi ISFB has relationships with:

similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 655. Table References
Links
https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature
https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak
https://lokalhost.pl/gozi_tree.txt

Dreambot

Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.

The tag is: misp-galaxy:banker="Dreambot"

Table 656. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
https://lokalhost.pl/gozi_tree.txt

IAP

Gozi ISFB variant

The tag is: misp-galaxy:banker="IAP"

View relationships graph

IAP has relationships with:

similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 657. Table References
Links
https://lokalhost.pl/gozi_tree.txt
http://archive.is/I7hi8#selection-217.0-217.6

GozNym

GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

The tag is: misp-galaxy:banker="GozNym"

Table 658. Table References
Links
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
https://lokalhost.pl/gozi_tree.txt

Zloader Zeus

Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Zloader Zeus"

Zloader Zeus is also known as:

Zeus Terdot

View relationships graph

Zloader Zeus has relationships with:

similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"

Table 659. Table References
Links
https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle
https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/

Zeus VM

Zeus variant that utilizes steganography in image files to retrieve configuration file.

The tag is: misp-galaxy:banker="Zeus VM"

Zeus VM is also known as:

VM Zeus

View relationships graph

Zeus VM has relationships with:

similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"

Table 660. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/

Zeus Sphinx

Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.

The tag is: misp-galaxy:banker="Zeus Sphinx"

View relationships graph

Zeus Sphinx has relationships with:

similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"

Table 661. Table References
Links
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Panda Banker

Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Panda Banker"

Panda Banker is also known as:

Zeus Panda

Table 662. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

Zeus KINS

Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.

The tag is: misp-galaxy:banker="Zeus KINS"

Zeus KINS is also known as:

Kasper Internet Non-Security
Maple

View relationships graph

Zeus KINS has relationships with:

similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"

Table 663. Table References
Links
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/
https://github.com/nyx0/KINS

Chthonic

Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

The tag is: misp-galaxy:banker="Chthonic"

Chthonic is also known as:

Chtonic

View relationships graph

Chthonic has relationships with:

similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"

Table 664. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/

Trickbot

Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan

The tag is: misp-galaxy:banker="Trickbot"

Trickbot is also known as:

Trickster
Trickloader

View relationships graph

Trickbot has relationships with:

similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"

Table 665. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/

Dyre

Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.

The tag is: misp-galaxy:banker="Dyre"

Dyre is also known as:

Dyreza

View relationships graph

Dyre has relationships with:

similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"

Table 666. Table References
Links
https://www.secureworks.com/research/dyre-banking-trojan
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

Tinba

Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.

The tag is: misp-galaxy:banker="Tinba"

Tinba is also known as:

Zusy
TinyBanker
illi

View relationships graph

Tinba has relationships with:

similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"

Table 667. Table References
Links
https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/
http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/
https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/
http://my.infotex.com/tiny-banker-trojan/

Geodo

Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.

The tag is: misp-galaxy:banker="Geodo"

Geodo is also known as:

Feodo Version C
Emotet

View relationships graph

Geodo has relationships with:

similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"

Table 668. Table References
Links
https://feodotracker.abuse.ch/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/
https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/
https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/
https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet
https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/

Feodo

Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Feodo"

Feodo is also known as:

Bugat
Cridex

View relationships graph

Feodo has relationships with:

similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"

Table 669. Table References
Links
https://securelist.com/dridex-a-history-of-evolution/78531/
https://feodotracker.abuse.ch/
http://stopmalvertising.com/rootkits/analysis-of-cridex.html

Ramnit

Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.

The tag is: misp-galaxy:banker="Ramnit"

Ramnit is also known as:

Nimnul

View relationships graph

Ramnit has relationships with:

similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 670. Table References
Links
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

Qakbot

Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.

The tag is: misp-galaxy:banker="Qakbot"

Qakbot is also known as:

Qbot
Pinkslipbot
Akbot

View relationships graph

Qakbot has relationships with:

similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

Table 671. Table References
Links
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/
https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf

Corebot

Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Corebot"

View relationships graph

Corebot has relationships with:

similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"

Table 672. Table References
Links
https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/
https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/

TinyNuke

TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="TinyNuke"

TinyNuke is also known as:

NukeBot
Nuclear Bot
MicroBankingTrojan
Xbot

View relationships graph

TinyNuke has relationships with:

similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"

Table 673. Table References
Links
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/
https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596
https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html

Retefe

Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.

The tag is: misp-galaxy:banker="Retefe"

Retefe is also known as:

Tsukuba
Werdlod

View relationships graph

Retefe has relationships with:

similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 674. Table References
Links
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/
https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/
https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/
http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/

ReactorBot

ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="ReactorBot"

View relationships graph

ReactorBot has relationships with:

similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"

Table 675. Table References
Links
http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html
https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html
http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Matrix Banker

Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="Matrix Banker"

View relationships graph

Matrix Banker has relationships with:

similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"

Table 676. Table References
Links
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Zeus Gameover

Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Zeus Gameover"

Table 677. Table References
Links
https://heimdalsecurity.com/blog/zeus-gameover/
https://www.us-cert.gov/ncas/alerts/TA14-150A

SpyEye

SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="SpyEye"

Table 678. Table References
Links
https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf
https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html
https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

Citadel

Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.

The tag is: misp-galaxy:banker="Citadel"

View relationships graph

Citadel has relationships with:

similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"

Table 679. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/
https://krebsonsecurity.com/tag/citadel-trojan/
https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/

Atmos

Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Atmos"

Table 680. Table References
Links
https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/
http://www.xylibox.com/2016/02/citadel-0011-atmos.html

Ice IX

Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.

The tag is: misp-galaxy:banker="Ice IX"

View relationships graph

Ice IX has relationships with:

similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"

Table 681. Table References
Links
https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ]

Zitmo

Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.

The tag is: misp-galaxy:banker="Zitmo"

Table 682. Table References
Links
https://securelist.com/zeus-in-the-mobile-for-android-10/29258/

Licat

Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011

The tag is: misp-galaxy:banker="Licat"

Licat is also known as:

Murofet

View relationships graph

Licat has relationships with:

similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"

Table 683. Table References
Links
https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A

Skynet

Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.

The tag is: misp-galaxy:banker="Skynet"

Table 684. Table References
Links
https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/

IcedID

According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.

The tag is: misp-galaxy:banker="IcedID"

IcedID is also known as:

BokBot

View relationships graph

IcedID has relationships with:

similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"

Table 685. Table References
Links
https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

The tag is: misp-galaxy:banker="GratefulPOS"

View relationships graph

GratefulPOS has relationships with:

similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"

Table 686. Table References
Links
https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

Dok

A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.

The tag is: misp-galaxy:banker="Dok"

View relationships graph

Dok has relationships with:

similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 687. Table References
Links
https://objective-see.com/blog/blog_0x25.html#Dok

downAndExec

Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.

The tag is: misp-galaxy:banker="downAndExec"

Table 688. Table References
Links
https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/

Smominru

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.

The tag is: misp-galaxy:banker="Smominru"

Smominru is also known as:

Ismo
lsmo

View relationships graph

Smominru has relationships with:

similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"

Table 689. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

DanaBot

It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)

The tag is: misp-galaxy:banker="DanaBot"

View relationships graph

DanaBot has relationships with:

similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"

Table 690. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0
https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/

Backswap

The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload

The tag is: misp-galaxy:banker="Backswap"

Table 691. Table References
Links
https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

Bebloh

The tag is: misp-galaxy:banker="Bebloh"

Bebloh is also known as:

URLZone
Shiotob

View relationships graph

Bebloh has relationships with:

similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"

Table 692. Table References
Links
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A
https://www.symantec.com/security-center/writeup/2011-041411-0912-99

Banjori

The tag is: misp-galaxy:banker="Banjori"

Banjori is also known as:

MultiBanker 2
BankPatch
BackPatcher

View relationships graph

Banjori has relationships with:

similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"

Table 693. Table References
Links
https://www.johannesbader.ch/2015/02/the-dga-of-banjori/

Qadars

The tag is: misp-galaxy:banker="Qadars"

View relationships graph

Qadars has relationships with:

similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"

Table 694. Table References
Links
https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/

Sisron

The tag is: misp-galaxy:banker="Sisron"

Table 695. Table References
Links
https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Ranbyus

The tag is: misp-galaxy:banker="Ranbyus"

View relationships graph

Ranbyus has relationships with:

similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"

Table 696. Table References
Links
https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Fobber

The tag is: misp-galaxy:banker="Fobber"

View relationships graph

Fobber has relationships with:

similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"

Table 697. Table References
Links
https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks

Karius

Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.

The tag is: misp-galaxy:banker="Karius"

View relationships graph

Karius has relationships with:

similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"

Table 698. Table References
Links
https://research.checkpoint.com/banking-trojans-development/

Kronos

Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.

The tag is: misp-galaxy:banker="Kronos"

View relationships graph

Kronos has relationships with:

similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"

Table 699. Table References
Links
https://en.wikipedia.org/wiki/Kronos_(malware)
https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware
https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/

CamuBot

A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.

The tag is: misp-galaxy:banker="CamuBot"

View relationships graph

CamuBot has relationships with:

similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"

Table 700. Table References
Links
https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ [https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ ]

Dark Tequila

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

The tag is: misp-galaxy:banker="Dark Tequila"

Table 701. Table References
Links
https://thehackernews.com/2018/08/mexico-banking-malware.html

Malteiro

Distributed by Malteiro

The tag is: misp-galaxy:banker="Malteiro"

Malteiro is also known as:

URSA

View relationships graph

Malteiro has relationships with:

delivered-by: misp-galaxy:threat-actor="Malteiro" with estimative-language:likelihood-probability="likely"

Table 702. Table References
Links
https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/

Bhadra Framework

Bhadra Threat Modeling Framework.

Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura

Attacks from UE

"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.

The tag is: misp-galaxy:bhadra-framework="Attacks from UE"

SIM-based attacks

The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.

The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"

Attacks from radio access network

The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.

The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"

Attacks from other mobile network

The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes

The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"

Attacks with access to transport network

The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"

Attacks from IP-based network

The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.

The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"

Insider attacks and human errors

The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.

The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"

Infecting UE hardware or software

Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.

The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"

Infecting SIM cards

Retaining the foothold gained on the target system through the initial access by infecting SIM cards.

The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"

Spoofed radio network

Retaining the foothold gained on the target system through the initial access by radio network spoofing.

The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"

Infecting network nodes

Retaining the foothold gained on the target system through the initial access by infecting network nodes.

The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"

Covert channels

Retaining the foothold gained on the target system through the initial access via covert channels.

The tag is: misp-galaxy:bhadra-framework="Covert channels"

Port scanning or sweeping

"Port scanning or sweeping" techniques to probe servers or hosts with open ports.

The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"

Perimeter mapping

"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.

The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"

Threat intelligence gathering

"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.

The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"

CN-specific scanning

"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).

The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"

Internal resource search

"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.

The tag is: misp-galaxy:bhadra-framework="Internal resource search"

UE knocking

"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.

The tag is: misp-galaxy:bhadra-framework="UE knocking"

Exploit roaming agreements

"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.

The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"

Abusing interworking functionalities

"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally

The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"

Exploit platform & service-specific vulnerabilities

Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.

The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"

SS7-based-attacks

Attacks abusing the SS7 protocol.

The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"

Diameter-based attacks

Attacks abusing the Diameter protocol.

The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"

GTP-based attacks

Attacks abusing the GTP protocol.

The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"

DNS-based attacks

DNS based attacks.

The tag is: misp-galaxy:bhadra-framework="DNS-based attacks"

Pre-AKA attacks

Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.

The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"

Security audit camouflage

The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.

The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"

Blacklist evasion

Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.

The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"

Middlebox misconfiguration exploits

NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.

The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"

Bypass Firewall

Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.

The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"

Bypass homerouting

SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.

The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"

Downgrading

Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.

The tag is: misp-galaxy:bhadra-framework="Downgrading"

Redirection

Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.

The tag is: misp-galaxy:bhadra-framework="Redirection"

UE Protection evasion

Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.

The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"

Admin credentials

Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.

The tag is: misp-galaxy:bhadra-framework="Admin credentials"

User-specific identifiers

User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case

The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"

User-specific data

Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).

The tag is: misp-galaxy:bhadra-framework="User-specific data"

Network-specific identifiers

Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks

The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"

Network-specific data

Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents

The tag is: misp-galaxy:bhadra-framework="Network-specific data"

Location tracking

Attacker is able to track the location of the target end-user.

The tag is: misp-galaxy:bhadra-framework="Location tracking"

Calls eavesdropping

Attacker is able to eavesdrop on calls.

The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"

SMS interception

Attacker is able to intercept SMS messages.

The tag is: misp-galaxy:bhadra-framework="SMS interception"

Data interception

Attacker is able to intercept or modify internet traffic.

The tag is: misp-galaxy:bhadra-framework="Data interception"

Billing frauds

Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.

The tag is: misp-galaxy:bhadra-framework="Billing frauds"

DoS - network

The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.

The tag is: misp-galaxy:bhadra-framework="DoS - network"

DoS - user

The attacker can cause denial of service to mobile users.

The tag is: misp-galaxy:bhadra-framework="DoS - user"

Identity-related attacks

Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.

The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"

Botnet

botnet galaxy.

Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

ADB.miner

A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.

The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.

Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.

The tag is: misp-galaxy:botnet="ADB.miner"

Table 703. Table References
Links
https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/

Bagle

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

The tag is: misp-galaxy:botnet="Bagle"

Bagle is also known as:

Beagle
Mitglieder
Lodeight

View relationships graph

Bagle has relationships with:

similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"

Table 704. Table References
Links
https://en.wikipedia.org/wiki/Bagle_(computer_worm)

Marina Botnet

Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.

The tag is: misp-galaxy:botnet="Marina Botnet"

Marina Botnet is also known as:

Damon Briant
BOB.dc
Cotmonger
Hacktool.Spammer
Kraken

View relationships graph

Marina Botnet has relationships with:

similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"

Table 705. Table References
Links
https://en.wikipedia.org/wiki/Botnet

Torpig

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.

The tag is: misp-galaxy:botnet="Torpig"

Torpig is also known as:

Sinowal
Anserin

View relationships graph

Torpig has relationships with:

similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"

Table 706. Table References
Links
https://en.wikipedia.org/wiki/Torpig

Storm

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The tag is: misp-galaxy:botnet="Storm"

Storm is also known as:

Nuwar
Peacomm
Zhelatin
Dorf
Ecard

Table 707. Table References
Links
https://en.wikipedia.org/wiki/Storm_botnet

Rustock

The tag is: misp-galaxy:botnet="Rustock"

Rustock is also known as:

RKRustok
Costrat

View relationships graph

Rustock has relationships with:

similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"

Table 708. Table References
Links
https://en.wikipedia.org/wiki/Rustock_botnet

Donbot

The tag is: misp-galaxy:botnet="Donbot"

Donbot is also known as:

Buzus
Bachsoy

View relationships graph

Donbot has relationships with:

similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"

Table 709. Table References
Links
https://en.wikipedia.org/wiki/Donbot_botnet

Cutwail

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo

The tag is: misp-galaxy:botnet="Cutwail"

Cutwail is also known as:

Pandex
Mutant

View relationships graph

Cutwail has relationships with:

similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"

Table 710. Table References
Links
https://en.wikipedia.org/wiki/Cutwail_botnet

Akbot

Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.

The tag is: misp-galaxy:botnet="Akbot"

View relationships graph

Akbot has relationships with:

similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

Table 711. Table References
Links
https://en.wikipedia.org/wiki/Akbot

Srizbi

Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The tag is: misp-galaxy:botnet="Srizbi"

Srizbi is also known as:

Cbeplay
Exchanger

Table 712. Table References
Links
https://en.wikipedia.org/wiki/Srizbi_botnet

Lethic

The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.

The tag is: misp-galaxy:botnet="Lethic"

View relationships graph

Lethic has relationships with:

similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"

Table 713. Table References
Links
https://en.wikipedia.org/wiki/Lethic_botnet

Xarvester

The tag is: misp-galaxy:botnet="Xarvester"

Xarvester is also known as:

Rlsloup
Pixoliz

Table 714. Table References
Links
https://krebsonsecurity.com/tag/xarvester/

Sality

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

The tag is: misp-galaxy:botnet="Sality"

Sality is also known as:

Sector
Kuku
Sality
SalLoad
Kookoo
SaliCode
Kukacka

View relationships graph

Sality has relationships with:

similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"

Table 715. Table References
Links
https://en.wikipedia.org/wiki/Sality

Mariposa

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.

The tag is: misp-galaxy:botnet="Mariposa"

Table 716. Table References
Links
https://en.wikipedia.org/wiki/Mariposa_botnet

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

The tag is: misp-galaxy:botnet="Conficker"

Conficker is also known as:

DownUp
DownAndUp
DownAdUp
Kido

View relationships graph

Conficker has relationships with:

similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"

Table 717. Table References
Links
https://en.wikipedia.org/wiki/Conficker

Waledac

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The tag is: misp-galaxy:botnet="Waledac"

Waledac is also known as:

Waled
Waledpak

Table 718. Table References
Links
https://en.wikipedia.org/wiki/Waledac_botnet

Maazben

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

The tag is: misp-galaxy:botnet="Maazben"

Table 719. Table References
Links
https://www.symantec.com/connect/blogs/evaluating-botnet-capacity

Onewordsub

The tag is: misp-galaxy:botnet="Onewordsub"

Table 720. Table References
Links
https://www.botnets.fr/wiki/OneWordSub

Gheg

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).

The tag is: misp-galaxy:botnet="Gheg"

Gheg is also known as:

Tofsee
Mondera

View relationships graph

Gheg has relationships with:

similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"

Table 721. Table References
Links
https://www.cert.pl/en/news/single/tofsee-en/

Nucrypt

The tag is: misp-galaxy:botnet="Nucrypt"

Table 722. Table References
Links
https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en

Wopla

The tag is: misp-galaxy:botnet="Wopla"

Table 723. Table References
Links
https://www.botnets.fr/wiki.old/index.php/Wopla

Asprox

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.

The tag is: misp-galaxy:botnet="Asprox"

Asprox is also known as:

Badsrc
Aseljo
Danmec
Hydraflux

View relationships graph

Asprox has relationships with:

similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"

Table 724. Table References
Links
https://en.wikipedia.org/wiki/Asprox_botnet

Spamthru

Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The tag is: misp-galaxy:botnet="Spamthru"

Spamthru is also known as:

Spam-DComServ
Covesmer
Xmiler

Table 725. Table References
Links
http://www.root777.com/security/analysis-of-spam-thru-botnet/

Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

The tag is: misp-galaxy:botnet="Gumblar"

Table 726. Table References
Links
https://en.wikipedia.org/wiki/Gumblar

BredoLab

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

The tag is: misp-galaxy:botnet="BredoLab"

BredoLab is also known as:

Oficla

View relationships graph

BredoLab has relationships with:

similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"

Table 727. Table References
Links
https://en.wikipedia.org/wiki/Bredolab_botnet

Grum

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.

The tag is: misp-galaxy:botnet="Grum"

Grum is also known as:

Tedroo
Reddyb

Table 728. Table References
Links
https://en.wikipedia.org/wiki/Grum_botnet

Mega-D

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

The tag is: misp-galaxy:botnet="Mega-D"

Mega-D is also known as:

Ozdok

Table 729. Table References
Links
https://en.wikipedia.org/wiki/Mega-D_botnet

Kraken

The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.

The tag is: misp-galaxy:botnet="Kraken"

Kraken is also known as:

Kracken

View relationships graph

Kraken has relationships with:

similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"

Table 730. Table References
Links
https://en.wikipedia.org/wiki/Kraken_botnet

Festi

The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.

The tag is: misp-galaxy:botnet="Festi"

Festi is also known as:

Spamnost

Table 731. Table References
Links
https://en.wikipedia.org/wiki/Festi_botnet

Vulcanbot

Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.

The tag is: misp-galaxy:botnet="Vulcanbot"

Table 732. Table References
Links
https://en.wikipedia.org/wiki/Vulcanbot

LowSec

The tag is: misp-galaxy:botnet="LowSec"

LowSec is also known as:

LowSecurity
FreeMoney
Ring0.Tools

TDL4

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).

The tag is: misp-galaxy:botnet="TDL4"

TDL4 is also known as:

TDSS
Alureon

View relationships graph

TDL4 has relationships with:

similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"

Table 733. Table References
Links
https://en.wikipedia.org/wiki/Alureon#TDL-4

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

The tag is: misp-galaxy:botnet="Zeus"

Zeus is also known as:

Zbot
ZeuS
PRG
Wsnpoem
Gorhax
Kneber

View relationships graph

Zeus has relationships with:

similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 734. Table References
Links
https://en.wikipedia.org/wiki/Zeus_(malware)

Kelihos

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

The tag is: misp-galaxy:botnet="Kelihos"

Kelihos is also known as:

Hlux

View relationships graph

Kelihos has relationships with:

similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"

Table 735. Table References
Links
https://en.wikipedia.org/wiki/Kelihos_botnet

Ramnit

Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.

The tag is: misp-galaxy:botnet="Ramnit"

View relationships graph

Ramnit has relationships with:

similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 736. Table References
Links
https://en.wikipedia.org/wiki/Botnet

Zer0n3t

The tag is: misp-galaxy:botnet="Zer0n3t"

Zer0n3t is also known as:

Fib3rl0g1c
Zer0n3t
Zer0Log1x

Chameleon

The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).

The tag is: misp-galaxy:botnet="Chameleon"

Table 737. Table References
Links
https://en.wikipedia.org/wiki/Chameleon_botnet

Mirai

Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.

The tag is: misp-galaxy:botnet="Mirai"

View relationships graph

Mirai has relationships with:

similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 738. Table References
Links
https://en.wikipedia.org/wiki/Mirai_(malware)
https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/
https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

XorDDoS

XOR DDOS is a Linux trojan used to perform large-scale DDoS

The tag is: misp-galaxy:botnet="XorDDoS"

Table 739. Table References
Links
https://en.wikipedia.org/wiki/Xor_DDoS

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

The tag is: misp-galaxy:botnet="Satori"

Satori is also known as:

Okiru

View relationships graph

Satori has relationships with:

similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"

Table 740. Table References
Links
https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/
https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant

BetaBot

The tag is: misp-galaxy:botnet="BetaBot"

View relationships graph

BetaBot has relationships with:

similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"

Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).

The tag is: misp-galaxy:botnet="Hajime"

View relationships graph

Hajime has relationships with:

similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"

Table 741. Table References
Links
https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/
https://en.wikipedia.org/wiki/Hajime_(malware)
https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/

Muhstik

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

The tag is: misp-galaxy:botnet="Muhstik"

Table 742. Table References
Links
https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/

Hide and Seek

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The tag is: misp-galaxy:botnet="Hide and Seek"

Hide and Seek is also known as:

HNS
Hide 'N Seek

View relationships graph

Hide and Seek has relationships with:

similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"

Table 743. Table References
Links
https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/
https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/

Mettle

Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

The tag is: misp-galaxy:botnet="Mettle"

Table 744. Table References
Links
https://thehackernews.com/2018/05/botnet-malware-hacking.html

Owari

IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED

The tag is: misp-galaxy:botnet="Owari"

View relationships graph

Owari has relationships with:

similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 745. Table References
Links
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

Brain Food

Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.

The tag is: misp-galaxy:botnet="Brain Food"

Table 746. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn

Pontoeb

The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding

The tag is: misp-galaxy:botnet="Pontoeb"

Pontoeb is also known as:

N0ise

Table 747. Table References
Links
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Pontoeb.J
http://dataprotectioncenter.com/general/are-you-beta-testing-malware/

Trik Spam Botnet

The tag is: misp-galaxy:botnet="Trik Spam Botnet"

Trik Spam Botnet is also known as:

Trik Trojan

Table 748. Table References
Links
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/

Madmax

The tag is: misp-galaxy:botnet="Madmax"

Madmax is also known as:

Mad Max

View relationships graph

Madmax has relationships with:

similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"

Table 749. Table References
Links
https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml

Pushdo

The tag is: misp-galaxy:botnet="Pushdo"

View relationships graph

Pushdo has relationships with:

similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"

Table 750. Table References
Links
https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/

Simda

The tag is: misp-galaxy:botnet="Simda"

View relationships graph

Simda has relationships with:

similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"

Table 751. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA15-105A

Virut

The tag is: misp-galaxy:botnet="Virut"

View relationships graph

Virut has relationships with:

similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"

Table 752. Table References
Links
https://en.wikipedia.org/wiki/Virut

Beebone

The tag is: misp-galaxy:botnet="Beebone"

Table 753. Table References
Links
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions

Bamital

The tag is: misp-galaxy:botnet="Bamital"

Bamital is also known as:

Mdrop-CSK
Agent-OCF

Table 754. Table References
Links
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital
https://www.symantec.com/security-center/writeup/2010-070108-5941-99

Gafgyt

Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The tag is: misp-galaxy:botnet="Gafgyt"

Gafgyt is also known as:

Bashlite

View relationships graph

Gafgyt has relationships with:

similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"

Table 755. Table References
Links
https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
https://www.symantec.com/security-center/writeup/2014-100222-5658-99

Sora

Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.

The tag is: misp-galaxy:botnet="Sora"

Sora is also known as:

Mirai Sora

View relationships graph

Sora has relationships with:

variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

Table 756. Table References
Links
https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

Torii

we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

The tag is: misp-galaxy:botnet="Torii"

View relationships graph

Torii has relationships with:

similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"

Table 757. Table References
Links
https://blog.avast.com/new-torii-botnet-threat-research
https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/

Persirai

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

The tag is: misp-galaxy:botnet="Persirai"

View relationships graph

Persirai has relationships with:

similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"

Table 758. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

Chalubo

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

The tag is: misp-galaxy:botnet="Chalubo"

Table 759. Table References
Links
https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/

AESDDoS

Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.

The tag is: misp-galaxy:botnet="AESDDoS"

Table 760. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/

Arceus

A set of DDoS botnet.

The tag is: misp-galaxy:botnet="Arceus"

Arceus is also known as:

Katura
MyraV
myra

Mozi

Mozi infects new devices through weak telnet passwords and exploitation.

The tag is: misp-galaxy:botnet="Mozi"

Table 761. Table References
Links
https://blog.netlab.360.com/mozi-another-botnet-using-dht/
https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/
https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/

UPAS-Kit

UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.

The tag is: misp-galaxy:botnet="UPAS-Kit"

UPAS-Kit is also known as:

Rombrast

Table 762. Table References
Links
https://research.checkpoint.com/2018/deep-dive-upas-kit-vs-kronos/
https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html
https://web.archive.org/web/20130120062602/http://onthar.in/articles/upas-kit-analysis/
https://regmedia.co.uk/2019/04/19/plea.pdf

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

The tag is: misp-galaxy:botnet="Phorpiex"

Phorpiex is also known as:

Trik

Table 763. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

The tag is: misp-galaxy:botnet="DDG"

View relationships graph

DDG has relationships with:

similar: misp-galaxy:malpedia="DDG" with estimative-language:likelihood-probability="likely"

Table 764. Table References
Links
https://twitter.com/JiaYu_521/status/1204248344043778048
https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/
https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/
https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/
https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/
https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg

Glupteba

A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).

The tag is: misp-galaxy:botnet="Glupteba"

Table 765. Table References
Links
https://blog.google/threat-analysis-group/disrupting-glupteba-operation/

Elknot

DDoS Botnet

The tag is: misp-galaxy:botnet="Elknot"

Elknot is also known as:

Linux/BillGates
BillGates

Table 766. Table References
Links
https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched
https://www.virusbulletin.com/uploads/pdf/conference_slides/2016/Liu_Wang-vb-2016-TheElknotDDoSBotnetsWeWatched.pdf

Cyclops Blink

Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.

The tag is: misp-galaxy:botnet="Cyclops Blink"

Table 767. Table References
Links
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

Abcbot

Botnet

The tag is: misp-galaxy:botnet="Abcbot"

Table 768. Table References
Links
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en

Ripprbot

Botnet

The tag is: misp-galaxy:botnet="Ripprbot"

Table 769. Table References
Links
https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days

EnemyBot

In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.

Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

The tag is: misp-galaxy:botnet="EnemyBot"

View relationships graph

EnemyBot has relationships with:

similar: misp-galaxy:malpedia="EnemyBot" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"

Table 770. Table References
Links
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/
https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers

Qbot

Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.

The tag is: misp-galaxy:botnet="Qbot"

Qbot is also known as:

QakBot
Pinkslipbot

View relationships graph

Qbot has relationships with:

dropped: misp-galaxy:ransomware="ProLock" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"

Table 771. Table References
Links
https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf
https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html
https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/

Dark.IoT

This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.

The tag is: misp-galaxy:botnet="Dark.IoT"

View relationships graph

Dark.IoT has relationships with:

variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

Table 772. Table References
Links
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

KmsdBot

Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.

The tag is: misp-galaxy:botnet="KmsdBot"

Table 773. Table References
Links
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware

HinataBot

Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.

The tag is: misp-galaxy:botnet="HinataBot"

View relationships graph

HinataBot has relationships with:

similar: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

Table 774. Table References
Links
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot

3ve

3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.

The tag is: misp-galaxy:botnet="3ve"

Table 775. Table References
Links
https://en.wikipedia.org/wiki/3ve

7777-Botnet

7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 2–3 login requests per week, the botnet is able to evade most security solutions.

The tag is: misp-galaxy:botnet="7777-Botnet"

Table 776. Table References
Links
https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.

The tag is: misp-galaxy:botnet="Amadey"

Table 777. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AndroidBauts

AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.

The tag is: misp-galaxy:botnet="AndroidBauts"

Table 778. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Bauts/AndroidBauts.html

Andromeda

Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.

The tag is: misp-galaxy:botnet="Andromeda"

Andromeda is also known as:

Gamarue
Wauchos

Table 779. Table References
Links
https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda
https://en.wikipedia.org/wiki/Andromeda_(trojan)

ArrkiiSDK

ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user’s permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.

The tag is: misp-galaxy:botnet="ArrkiiSDK"

Table 780. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Avalanche

Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.

The tag is: misp-galaxy:botnet="Avalanche"

Table 781. Table References
Links
https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure

Bayrob

Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.

The tag is: misp-galaxy:botnet="Bayrob"

Table 782. Table References
Links
https://www.bleepingcomputer.com/news/security/bayrob-malware-gang-had-elite-tactics-but-they-still-got-caught-anyway/
https://community.broadcom.com/symantecenterprise/viewdocument/bayrob-three-suspects-extradited-t?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

Bedep

Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.

The tag is: misp-galaxy:botnet="Bedep"

Table 783. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep

Bolek

Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.

The tag is: misp-galaxy:botnet="Bolek"

View relationships graph

Bolek has relationships with:

similar: misp-galaxy:botnet="KBOT" with estimative-language:likelihood-probability="likely"

Table 784. Table References
Links
https://www.bitsight.com/blog/bolek-an-evolving-botnet-targets-poland-and-ukraine

Carna

The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.

The tag is: misp-galaxy:botnet="Carna"

Table 785. Table References
Links
https://en.wikipedia.org/wiki/Carna_botnet

Code Shikara

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.

The tag is: misp-galaxy:botnet="Code Shikara"

Table 786. Table References
Links
https://en.wikipedia.org/wiki/Code_Shikara

Condi

DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.

The tag is: misp-galaxy:botnet="Condi"

Table 787. Table References
Links
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

Cooee

Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.

The tag is: misp-galaxy:botnet="Cooee"

Table 788. Table References
Links
https://news.softpedia.com/news/trojan-found-preinstalled-on-the-firmware-of-some-phillips-s307-android-smartphones-499177.shtml

Coreflood

Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.

The tag is: misp-galaxy:botnet="Coreflood"

Table 789. Table References
Links
https://en.wikipedia.org/wiki/Coreflood

Crackonosh

In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.

The tag is: misp-galaxy:botnet="Crackonosh"

Table 790. Table References
Links
https://finance.yahoo.com/news/monero-mining-malware-crackonosh-infected-192448133.html

FluBot

FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

The tag is: misp-galaxy:botnet="FluBot"

FluBot is also known as:

Cabassous
FakeChat

Table 791. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot

FritzFrog

FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.

The tag is: misp-galaxy:botnet="FritzFrog"

Table 792. Table References
Links
https://en.wikipedia.org/wiki/FritzFrog

Gootkit

Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.

The tag is: misp-galaxy:botnet="Gootkit"

Table 793. Table References
Links
https://www.fortiguard.com/encyclopedia/botnet/7630462

Great Cannon

The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user’s web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University’s Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.

The tag is: misp-galaxy:botnet="Great Cannon"

Table 794. Table References
Links
https://en.wikipedia.org/wiki/Great_Cannon

Hail Mary Cloud

The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.

The tag is: misp-galaxy:botnet="Hail Mary Cloud"

Table 795. Table References
Links
https://en.wikipedia.org/wiki/Hail_Mary_Cloud

Joker

Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.

The tag is: misp-galaxy:botnet="Joker"

Table 796. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Joker/Joker.html

KBOT

KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.

The tag is: misp-galaxy:botnet="KBOT"

Table 797. Table References
Links
https://securelist.com/kbot-sometimes-they-come-back/96157/
https://cofense.com/blog/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/

Linux.Darlloz

Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.

The tag is: misp-galaxy:botnet="Linux.Darlloz"

Table 798. Table References
Links
https://en.wikipedia.org/wiki/Linux.Darlloz
https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/

Marcher

Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.

The tag is: misp-galaxy:botnet="Marcher"

Table 799. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html
https://www.securityweek.com/thousands-android-devices-infected-marcher-trojan/

Matsnu

Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.

The tag is: misp-galaxy:botnet="Matsnu"

Table 800. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html
https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/

Methbot

Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.

The tag is: misp-galaxy:botnet="Methbot"

Table 801. Table References
Links
https://en.wikipedia.org/wiki/Methbot

Metulji

The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.

The tag is: misp-galaxy:botnet="Metulji"

Table 802. Table References
Links
https://en.wikipedia.org/wiki/Metulji_botnet

Mevade

The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.

The tag is: misp-galaxy:botnet="Mevade"

Mevade is also known as:

Sefnit
SBC

Table 803. Table References
Links
https://en.wikipedia.org/wiki/Mevade_Botnet

MobiDash

MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.

The tag is: misp-galaxy:botnet="MobiDash"

Table 804. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Mutabaha

Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.

The tag is: misp-galaxy:botnet="Mutabaha"

Table 805. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

MyDoom

MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.

The tag is: misp-galaxy:botnet="MyDoom"

Table 806. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html
https://nordvpn.com/blog/mydoom-virus/

Necurs

The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet’s activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.

The tag is: misp-galaxy:botnet="Necurs"

Table 807. Table References
Links
https://en.wikipedia.org/wiki/Necurs_botnet

Nitol

The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.

The tag is: misp-galaxy:botnet="Nitol"

Table 808. Table References
Links
https://en.wikipedia.org/wiki/Nitol_botnet

Nymaim

Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload – banker module (responsible for web injects – passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).

The tag is: misp-galaxy:botnet="Nymaim"

Table 809. Table References
Links
https://cert.pl/en/posts/2017/01/nymaim-revisited/

PBot

PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.

The tag is: misp-galaxy:botnet="PBot"

PBot is also known as:

PythonBot

Table 810. Table References
Links
https://www.malwarebytes.com/blog/news/2018/04/pbot-python-based-adware
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot
https://www.bitdefender.com/blog/businessinsights/ddos-attacks-increase-28-as-pbot-authors-use-decades-old-php-code/

Pirrit

Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.

The tag is: misp-galaxy:botnet="Pirrit"

Table 811. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Pitou

Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.

The tag is: misp-galaxy:botnet="Pitou"

Table 812. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Prometei

Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary’s part. Prometei is just one of these types of networks that focuses on Monero mining.

The tag is: misp-galaxy:botnet="Prometei"

Table 813. Table References
Links
https://blog.talosintelligence.com/prometei-botnet-and-its-quest-for-monero/

PrizeRAT

PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user’s permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.

The tag is: misp-galaxy:botnet="PrizeRAT"

Table 814. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Pushlran

Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.

The tag is: misp-galaxy:botnet="Pushlran"

Table 815. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Pykspa

Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.

The tag is: misp-galaxy:botnet="Pykspa"

Table 816. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Qsnatch

Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

The tag is: misp-galaxy:botnet="Qsnatch"

Table 817. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Remaiten

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.

The tag is: misp-galaxy:botnet="Remaiten"

Table 818. Table References
Links
https://en.wikipedia.org/wiki/Remaiten

Retadup

Retadup is a worm affecting Windows machines primarily throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. The French law enforcement agency, National Gendarmerie, in 2019 announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers.

The tag is: misp-galaxy:botnet="Retadup"

Table 819. Table References
Links
https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/
https://thehackernews.com/2019/08/retadup-botnet-malware.html

RootSTV

RootSTV is a trojan and downloader for Android devices, mainly SmartTVs. RootSTV downloads additional malicious programs from a server and executes them without the user’s consent.

The tag is: misp-galaxy:botnet="RootSTV"

Table 820. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html

Rovnix

Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast. The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers. A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.

The tag is: misp-galaxy:botnet="Rovnix"

Table 821. Table References
Links
https://www.theregister.com/2014/11/06/rovnix_trojan_outbreak/

Slenfbot

Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm’s payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

The tag is: misp-galaxy:botnet="Slenfbot"

Table 822. Table References
Links
https://en.wikipedia.org/wiki/Slenfbot

Stacheldraht

Stacheldraht is malware which performs a distributed denial-of-service (DDoS) attack. Stacheldraht uses a number of different denial-of-service (DoS) attack methods, including Ping flood, UDP flood, TCP SYN flood, and Smurf attack. Further, it can detect and automatically enable source address forgery. Adding encryption, it combines features of Trinoo and of Tribe Flood Network. The software runs on both Linux and Solaris.

The tag is: misp-galaxy:botnet="Stacheldraht"

Table 823. Table References
Links
https://en.wikipedia.org/wiki/Stacheldraht

Suppobox

Suppobox is a trojan that intercepts any network traffic connected with a monetary transaction when users buy or sell products online. The malware focuses on auction websites.

The tag is: misp-galaxy:botnet="Suppobox"

Suppobox is also known as:

Bayrob
Nivdort

Table 824. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Triada

Triada is a trojan for Android devices. Triada’s primary function is to record text messages. For example, it intercepts in-app purchases via text message and redirects payments made. Triada downloads other malware from a server and runs these programs.

The tag is: misp-galaxy:botnet="Triada"

Triada is also known as:

APK. Triada

Table 825. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html

Trinoo

Trinoo is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.

The tag is: misp-galaxy:botnet="Trinoo"

Trinoo is also known as:

trin00

Table 826. Table References
Links
https://en.wikipedia.org/wiki/Trinoo

Zemra

Zemra is a DDoS Bot which was first discovered in underground forums in May 2012. Zemra is capable of HTTP and SYN Flood flooding and also has a simple Command & Control panel that is protected with 256-bit DES encryption for communicating with its command and control (C&C) server. Zemra also sends information such as Computer name, Language settings, and Windows version. It will send this data to a remote location on a specific date and time. It also opens a backdoor on TCP port 7710 to receive commands from a remote command-and-control server, and it is able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary.

The tag is: misp-galaxy:botnet="Zemra"

Table 827. Table References
Links
https://en.wikipedia.org/wiki/Zemra

Ztorg

Ztorg is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user’s permission, and the collection of data on the mobile phone, such as its location and contacts. Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.

The tag is: misp-galaxy:botnet="Ztorg"

Table 828. Table References
Links
https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html

Quad7

The tag is: misp-galaxy:botnet="Quad7"

Quad7 is also known as:

7777

Table 829. Table References
Links
https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router
https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd

63256 botnet

The tag is: misp-galaxy:botnet="63256 botnet"

Table 830. Table References
Links
https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router

Branded Vulnerability

List of known vulnerabilities and attacks with a branding.

Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown

Meltdown

Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.

The tag is: misp-galaxy:branded-vulnerability="Meltdown"

Spectre

Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.

The tag is: misp-galaxy:branded-vulnerability="Spectre"

Heartbleed

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.

The tag is: misp-galaxy:branded-vulnerability="Heartbleed"

Shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The tag is: misp-galaxy:branded-vulnerability="Shellshock"

Ghost

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

The tag is: misp-galaxy:branded-vulnerability="Ghost"

Stagefright

Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.

The tag is: misp-galaxy:branded-vulnerability="Stagefright"

Badlock

Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.

The tag is: misp-galaxy:branded-vulnerability="Badlock"

Dirty COW

Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.

The tag is: misp-galaxy:branded-vulnerability="Dirty COW"

POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

The tag is: misp-galaxy:branded-vulnerability="POODLE"

BadUSB

The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.

The tag is: misp-galaxy:branded-vulnerability="BadUSB"

ImageTragick

The tag is: misp-galaxy:branded-vulnerability="ImageTragick"

Blacknurse

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.

The tag is: misp-galaxy:branded-vulnerability="Blacknurse"

SPOILER

SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.

The tag is: misp-galaxy:branded-vulnerability="SPOILER"

Table 831. Table References
Links
https://arxiv.org/pdf/1903.00446v1.pdf
https://appleinsider.com/articles/19/03/05/new-spoiler-vulnerability-in-all-intel-core-processors-exposed-by-researchers
https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert-_intel_cpus_impacted_by_new_vulnerability/1
https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/
https://www.bleepingcomputer.com/news/security/amd-believes-spoiler-vulnerability-does-not-impact-its-processors/

BlueKeep

A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware

The tag is: misp-galaxy:branded-vulnerability="BlueKeep"

Table 832. Table References
Links
https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/

Cert EU GovSector

Cert EU GovSector.

Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

Constituency

The tag is: misp-galaxy:cert-eu-govsector="Constituency"

EU-Centric

The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"

EU-nearby

The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"

World-class

The tag is: misp-galaxy:cert-eu-govsector="World-class"

Unknown

The tag is: misp-galaxy:cert-eu-govsector="Unknown"

Outside World

The tag is: misp-galaxy:cert-eu-govsector="Outside World"

China Defence Universities Tracker

The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre..

China Defence Universities Tracker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Australian Strategic Policy Institute

Academy of Military Science (中国人民解放军军事科学院)

AMS is responsible for leading and coordinating military science for the whole military. AMS is involved in not only the development of theory, strategy, and doctrine but also advancing national defense innovation. Pursuant to the PLA reforms, AMS has undergone dramatic changes starting in June 2017. At a July 2017 ceremony marking the AMS’s reorganisation, Xi urged the AMS to construct a ‘world-class military scientific research institution.’ Through the National Defence Science and Technology Innovation Institute, the AMS is pursuing research in cutting-edge technologies including unmanned systems, artificial intelligence, biotechnology and quantum technology.

The tag is: misp-galaxy:china-defence-universities="Academy of Military Science (中国人民解放军军事科学院)"

Table 833. Table References
Links
https://unitracker.aspi.org.au/universities/academy-of-military-science

Aero Engine Corporation of China (中国航空发动机集团有限公司)

AECC is a leading producer of aircraft parts for the People’s Liberation Army (PLA), having separated from its parent company the Aviation Industry Corporation of China (AVIC) in 2016. The company reports having 27 affiliated or subordinate companies, three major listed companies, and 84,000 staff. AVIC and the Commercial Aircraft Corporation of China (also known as COMAC) are major shareholders in AECC.AECC’s main products include aircraft engines, combustion gas turbines, and transmission systems. AECC also develops aircraft power units, helicopter drive systems, monocrystalline blades, turbine disks, and graphene.AECC was established in order to improve China’s capability in developing domestically built aircraft engines as part of the ‘Made in China 2025’ program. A priority is strengthening its supply chains within China. Though indigenously developed engines have proven challenging for AECC, the company had purported success in providing thrust vector control technology for the J-10B fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aero Engine Corporation of China (中国航空发动机集团有限公司)"

Table 834. Table References
Links
https://unitracker.aspi.org.au/universities/aero-engine-corporation-of-china

Air Force Command College (中国人民解放军空军指挥学院)

The PLA Air Force Command College in Beijing is considered the PLA Air Force’s ‘peak institution for educating mid-rank and senior officers’ for command posts across the service. The college has a long history and was initially established in Nanjing during the early years of the People’s Republic in 1958.The Air Force Command College offers a range of degree programmes, mainly at the postgraduate level, including training in military disciplines such as military history, strategy, and tactics. It has published research on control science and radar. The college’s other specialties include battlefield command, military operations as well as political–ideological education.

The tag is: misp-galaxy:china-defence-universities="Air Force Command College (中国人民解放军空军指挥学院)"

Table 835. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-command-college

Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)

The Air Force Communications Officers Academy is the PLA’s premier institution for the training of non-commissioned officers in communications systems and security. Established in 1986 as the Dalian Communications NCO College, the institution was renamed after Xi Jinping’s military reforms in 2017. The academy’s areas of research include command automation and satellite communications, along with wired and wireless communications.

The tag is: misp-galaxy:china-defence-universities="Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)"

Table 836. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-communications-officers-college

Air Force Early Warning Academy (中国人民解放军空军预警学院)

The Air Force Early Warning Academy is ‘an institution that trains military personnel from the PLA Air Force and Navy’s radar and electronic warfare units in command, engineering and technology’ that was established after the amalgamation of the Air Defence Academy and Radar College in 1958. As such, the Air Force Early Warning Academy focuses its research on radar engineering, information command systems engineering, networked command engineering, and early warning detection systems.

The tag is: misp-galaxy:china-defence-universities="Air Force Early Warning Academy (中国人民解放军空军预警学院)"

Table 837. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-early-warning-academy

Air Force Engineering University (中国人民解放军空军工程大学)

The Air Force Engineering University (AFEU) is one of the PLA’s five comprehensive universities alongside NUDT, Naval Engineering University, PLA Information Engineering University and Army Engineering University. It trains students in a variety of engineering and military disciplines related to air combat.AFEU currently has around 8,000 students, including 1,600 postgraduate students. Its priority areas include technical studies in information and communication systems engineering as well as in social sciences such as in professional military training. Research into unmanned aerial vehicle technology is another important area of research at the university. In 2017, China’s Ministry of Education ranked AFEU equal fourth for armament science out of nine universities, only awarding it a B- grade for the discipline.Colleges under AFEU include:

The tag is: misp-galaxy:china-defence-universities="Air Force Engineering University (中国人民解放军空军工程大学)"

Table 838. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-engineering-university

Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)

The tag is: misp-galaxy:china-defence-universities="Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)"

Table 839. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-flight-academy-shijiazhuang

Air Force Harbin Flight Academy (空军哈尔滨飞行学院)

The Academy is home to the Air Force Harbin Flight Academy Simulation Training Center, 2,500m2 large-scale aircraft simulator where students can train in simulated transport and bomber aircraft. The Academy hopes to continue developing the Simulation Training Center into a ‘laboratory for air operations,’ including advanced trainings like simulated tactical confrontations.

The tag is: misp-galaxy:china-defence-universities="Air Force Harbin Flight Academy (空军哈尔滨飞行学院)"

Table 840. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-harbin-flight-academy

Air Force Logistics University (中国人民解放军空军后勤学院)

The Air Force Logistics University is an institution devoted to the study of command, management and technology for the PLA, established in Shanxi by the Central Military Commission in 1954. The university focusses its research on ‘management engineering’ for military equipment such as weaponry and aircraft fuel and also maintains research programmes on air battle command and personnel management.

The tag is: misp-galaxy:china-defence-universities="Air Force Logistics University (中国人民解放军空军后勤学院)"

Table 841. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-logistics-university

Air Force Medical University (中国人民解放军空军军医大学)

The Air Force Medical University, also known as the Fourth Military Medical University, is the PLA’s premier institution for research into medical and psychological sciences, having been placed under command of the Air Force after Xi Jinping’s military reforms in 2017. Its major areas of study are medical and psychological sciences tailored for personnel engaging in air and space operations, military preventative medicine and various other forms of clinical research.The Air Force Medical University conducts significant amounts of psychological research. Scientists from the Air Force Medical University have written studies on suicide, mental health across China, and mental health in military universities. The university’s scientists have also looked at the extent to which mindfulness training can reduce anxiety for undergraduates at military universities, and at how fear induced by virtual combat scenarios impacts decision-making. This indicates that the university is interested in issues of troop morale and decision-making in high-stress situations.

The tag is: misp-galaxy:china-defence-universities="Air Force Medical University (中国人民解放军空军军医大学)"

Table 842. Table References
Links
https://unitracker.aspi.org.au/universities/fourth-military-medical-university

Air Force Research Institute (中国人民解放军空军研究院)

The Air Force Research Institute is an air force scientific research institute, the successor to the Air Force Equipment Academy (空军装备研究院), that was established in 2017. The institute runs the Key Laboratory of Complex Aviation System Simulation (复杂航空系统仿真国防重点实验室) and carries out research on areas such as aircraft design, flight control, guidance and navigation, and electronic countermeasures.

The tag is: misp-galaxy:china-defence-universities="Air Force Research Institute (中国人民解放军空军研究院)"

Table 843. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-research-institute

Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)

Created upon the merger of the PLA Air Force’s Second and Fifth Flight Academies in 2011, the Air Force Xi’an Flight Academy specialises in training airmen in aviation while passing on the PLA’s ‘revolutionary traditions’. It remains ‘one of the Air Force’s three advanced institutions in air combat, and is known to train the PLA Air Force’s JJ-7 fighter pilots. Given this focus on training, the institution engages in little scientific research.

The tag is: misp-galaxy:china-defence-universities="Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)"

Table 844. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-xian-flight-academy

Anhui University (安徽大学)

Anhui University is overseen by the Anhui Provincial Government. In January 2019, defence industry agency SASTIND and the Anhui Provincial Government signed an agreement to jointly develop Anhui University. This agreement with SASTIND suggests that the university will increase its role in defense research in the future.

The tag is: misp-galaxy:china-defence-universities="Anhui University (安徽大学)"

Table 845. Table References
Links
https://unitracker.aspi.org.au/universities/anhui-university

Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)

The Army Academy of the Armored Forces is China’s lead institute responsible for training and research for armoured combat. This includes a focus on tank warfare, mechanised artillery and infantry operations. The academy offers training in ‘armored combat command, surveillance and intelligence, operational tactics’ as well as in engineering disciplines relevant to operations involving the PLA Ground Force’s armoured corps, such as materials science, mechanical engineering, electrical engineering and automation, communications engineering, weapons systems engineering and photoelectric information science.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)"

Table 846. Table References
Links
https://unitracker.aspi.org.au/universities/army-academy-of-armored-forces

Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)

The Army Academy of Artillery and Air Defense is an institution devoted to training artillery and air defence officers in the PLA Ground Force. Its areas of focus include electrical engineering and automation, munitions engineering and explosives technology, radar engineering, and missile engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)"

Table 847. Table References
Links
https://unitracker.aspi.org.au/universities/army-academy-of-artillery-and-air-defense

Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)

With a history dating back to 1941, the Army Academy of Border and Coastal Defense is the only institution of higher education devoted to training PLA Ground Force personnel in border and coastal defence operations. Its subjects of focus include firepower command and control engineering, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)"

Table 848. Table References
Links
https://unitracker.aspi.org.au/universities/army-academy-of-border-and-coastal-defense

Army Aviation College (中国人民解放军陆军航空兵学院)

The Army Aviation College is the PLA’s institution responsible for training mid-career helicopter pilots from the PLA Air Force and aviation officers from the PLA Ground Force. The college’s subject areas include aircraft and engine design, aviation communications and air defence systems, flight radar maintenance engineering, and combat aircraft maintenance engineering.

The tag is: misp-galaxy:china-defence-universities="Army Aviation College (中国人民解放军陆军航空兵学院)"

Table 849. Table References
Links
https://unitracker.aspi.org.au/universities/army-aviation-college

Army Engineering University (中国人民解放军陆军工程大学)

The Army Engineering University was established in 2017 following the abolition of the PLA University of Science and Technology. The university is devoted to research on ‘engineering, technology and combat command systems’ for the PLA Land Force.The university’s areas of research include:

The tag is: misp-galaxy:china-defence-universities="Army Engineering University (中国人民解放军陆军工程大学)"

Table 850. Table References
Links
https://unitracker.aspi.org.au/universities/army-engineering-university

Army Infantry Academy (中国人民解放军陆军步兵学院)

The Army Infantry Academy is a higher education institution in China devoted to providing elementary training in command for infantry soldiers in the PLA Ground Force. The academy teaches courses in operational disciplines such as command information systems engineering, armored vehicles engineering and weapons systems engineering. As well as providing formal teaching, the Army Infantry Academy also provides oversight for training exercises and electronic warfare simulations.

The tag is: misp-galaxy:china-defence-universities="Army Infantry Academy (中国人民解放军陆军步兵学院)"

Table 851. Table References
Links
https://unitracker.aspi.org.au/universities/army-infantry-academy

Army Medical University (中国人民解放军陆军军医大学)

The PLA Army Medical University, formerly known as the Third Military Medical University, is a medical education university affiliated with the PLA Ground Force. It was formed in 2017 through a merger with the PLA Western Theater Command Urumqi Comprehensive Training Base’s Military Medical Training Brigade and the Tibet Military Region’s Eighth Hospital. The Army Medical University includes six national key laboratories and 32 Ministry of Education or military key laboratories. It has won military awards for science and technology progress and seven national science and technology prizes.

The tag is: misp-galaxy:china-defence-universities="Army Medical University (中国人民解放军陆军军医大学)"

Table 852. Table References
Links
https://unitracker.aspi.org.au/universities/army-medical-university

Army Military Transportation Academy (中国人民解放军陆军军事交通学院)

The Army Military Transport Academy is a higher education institution devoted to training PLA Ground Force personnel in military transport and logistics. The academy focusses on military transport command engineering, command and automation engineering, ordnance engineering, and armament sustainment command.

The tag is: misp-galaxy:china-defence-universities="Army Military Transportation Academy (中国人民解放军陆军军事交通学院)"

Table 853. Table References
Links
https://unitracker.aspi.org.au/universities/army-military-transportation-academy-2

Army Research Institute (中国人民解放军陆军研究院)

The Army Research Institute is an institution devoted to advanced defence research with applications to land warfare. The institute engages in a variety of defence research including radar technology, lasers, and hybrid electric vehicles. Researchers from the institute are known to have collaborated with partners from China’s civilian universities in areas such as advanced manufacturing and automatic control, and laser technology.The Army Research Institute collaborates with civilian companies as part of China’s military-civil fusion program. For example, General Guo Guangsheng from the Army Research Institute made a visit to Hong Run Precision Instruments Co. Ltd. (虹润精密仪器有限公司) on 24 August 2019 to assess how the company was performing in its military-civil fusion activities. Researchers from the Army Research Institute have also been involved in the product design and development of dual-use automobiles as part of a military-civil fusion project called ‘Research, Development and Commerialisation of Advanced Off-road Passenger Vehicles’ (新一代军民通用高端越野乘用汽车研发及产业化). The project included research into vehicles such as the BJ80 military and civilian off-road passenger vehicles as well as the BJ40L off-road vehicle.

The tag is: misp-galaxy:china-defence-universities="Army Research Institute (中国人民解放军陆军研究院)"

Table 854. Table References
Links
https://unitracker.aspi.org.au/universities/army-research-institute

Army Service Academy (中国人民解放军陆军勤务学院)

The Army Service Academy is an institution of higher education in the PLA devoted to training personnel in a variety of logistics disciplines. The logistics disciplines taught at the academy include: fuel logistics, military facility management, military procurement management, and integrated logistics management. Its areas of focus for defence research include military energy engineering, defence engineering, and management science and engineering.

The tag is: misp-galaxy:china-defence-universities="Army Service Academy (中国人民解放军陆军勤务学院)"

Table 855. Table References
Links
https://unitracker.aspi.org.au/universities/army-service-academy

Army Special Operations Academy (中国人民解放军陆军特种作战学院)

The academy’s key subjects include special operations command, surveillance and intelligence, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Special Operations Academy (中国人民解放军陆军特种作战学院)"

Table 856. Table References
Links
https://unitracker.aspi.org.au/universities/army-special-operations-academy

Aviation Industry Corporation of China (中国航空工业集团有限公司)

AVIC is a state-owned defence conglomerate established in 2008 that focuses on providing aerospace products for military and civilian customers. AVIC’s main product lines include a variety of aircraft for freight, commercial and military aviation along with other more specialised products such as printed circuit boards, liquid crystal displays and automotive parts, according to Bloomberg. AVIC also provides services to the aviation sector through flight testing, engineering, logistics and asset management.The conglomerate has over 400,000 employees and has a controlling share in around 200 companies. AVIC has over 25 subsidiaries listed on its website.AVIC is the PLA Air Force’s largest supplier of military aircraft, producing fighter jets, strike aircraft, unmanned aerial vehicles and surveillance aircraft. Along with its core work on military aircraft, AVIC also produces surface-to-air, air-to-surface and air-to-air missiles. Its headline projects include the J-10 and the J-11 fighter aircraft. AVIC’s subsidiary, the Shenyang Aircraft Corporation, was responsible for delivery of the J-15 fighter. Another subsidiary of AVIC, the Chengdu Aerospace Corporation, developed the PLA-AF’s J-20 stealth fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aviation Industry Corporation of China (中国航空工业集团有限公司)"

Table 857. Table References
Links
https://unitracker.aspi.org.au/universities/aviation-industry-corporation-of-china

Aviation University of Air Force (中国人民解放军空军航空大学)

AUAF is one of China’s main institutions devoted to the training of air force pilots. Its areas of focus are training in flight command and research into aeronautical engineering. Disciplines taught at AUAF include command science and engineering, aerospace science and technology as well as political work and military command.AUAF scientists publish and attend conferences on radar technology and electronic countermeasures. For example, scientists from AUAF’s Information Countermeasures Division co-authored a publication on radar target recognition with a researcher from the PLA’s Unit 94936 – an aviation unit stationed in Hangzhou. AUAF scientists have also done notable work on complex systems radar and signal pre-sorting.

The tag is: misp-galaxy:china-defence-universities="Aviation University of Air Force (中国人民解放军空军航空大学)"

Table 858. Table References
Links
https://unitracker.aspi.org.au/universities/aviation-university-of-air-force

Beihang University (北京航空航天大学)

Beihang University engages in very high levels of defence research as one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. The university specialises in aviation and spaceflight research. The top four employers of Beihang graduates in 2018 were all state-owned missile or defence aviation companies. In total, 29% of 2018 Beihang graduates who found employment were working in the defence sector.Beihang scientists are involved in the development of Chinese military aircraft and missiles. In 2018, the university signed a comprehensive strategic cooperation agreement with China Aerospace Science and Technology Corporation, a state-owned conglomerate that produces ballistic missiles and satellites. The university is also noteworthy for its leading research on stealth technology.Beihang hosts at least eight major defence laboratories working on fields such as aircraft engines, inertial navigation and fluid dynamics.

The tag is: misp-galaxy:china-defence-universities="Beihang University (北京航空航天大学)"

Table 859. Table References
Links
https://unitracker.aspi.org.au/universities/beihang-university

Beijing Electronic Science and Technology Institute (北京电子科技学院)

BESTI is a secretive university that trains information security experts for the bureaucracy. The institute is the only university run by the CCP General Office, which manages administrative matters for the Central Committee. The General Office is usually run by one of the general secretary’s most trusted aides. It oversees China’s cryptographic and state secrets agency as well as security for the party’s leadership.BESTI has a student population of around 2,000 and has strict admission requirements. Students at the university are scrutinized for their political beliefs, and are typically CCP or Communist Youth League members. The activities of their relatives are screened for political issues. Having no parents or siblings who worked abroad or were involved in ‘illegal organisations’ is a condition of enrolment. The institute claims to count 50 ministerial-level party officials among its 12,000 graduates.BESTI has a close relationship with Xidian University and Beijing University of Posts and Telecommunications. The two universities are its primary collaborators on scientific papers. BESTI runs joint master’s programs with Xidian University in cryptography, information and communication engineering, and computer applications technology. It also has joint doctoral programs with the University of Science and Technology of China and Beijing University of Posts and Telecommunications in cybersecurity.The university runs the Key Laboratory of Information Security (信息安全重点实验室/信息安全与保密重点实验室). Several websites claim that it runs a joint laboratory with the Chinese Academy of Sciences Institute of High Energy Physics, but this could not be confirmed.

The tag is: misp-galaxy:china-defence-universities="Beijing Electronic Science and Technology Institute (北京电子科技学院)"

Table 860. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-electronic-science-and-technology-institute

Beijing Institute of Technology (北京理工大学)

BIT is one of the ‘Seven Sons of National Defence’ supervised by MIIT. It is a leading centre of military research and one of only fourteen institutions accredited to award doctorates in weapons science. In 2017, China’s Ministry of Education ranked BIT and Nanjing University of Science and Technology as the country’s top institutions for weapons science. It has received the most defence research prizes and defence patents out of all China’s universities. 31.80% of BIT graduates in 2018 who found employment were working in the defence sector.BIT’s claimed achievements include producing the PRC’s first light tank, first two-stage solid sounding rocket and first low-altitude altimetry radar. The university also states that it carries out world-class research on several areas of missile technology including “precision strikes, high damage efficiency, maneuver penetration, long-range suppression, and military communications systems and counter-measures”. In 2018, BIT announced that it was running a four-year experimental program training some of China’s top high school students in intelligent weapons systems.BIT is the chair of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).BIT’s central role in advancing PLA warfighting capability is demonstrated by the fact that it participated in the development of equipment used by 22 of the 30 squads in the 2009 military parade for the 60th anniversary of the founding of the PRC.

The tag is: misp-galaxy:china-defence-universities="Beijing Institute of Technology (北京理工大学)"

Table 861. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-institute-of-technology

Beijing University of Chemical Technology (北京化工大学)

BUCT is subordinate to the Ministry of Education. The university engages in high levels of defence research. In 2016, the Ministry of Education and defence industry agency SASTIND agreed to jointly construct BUCT, a move designed to expand its involvement in defence research.Between 2011 and 2015, the university’s spending on defence research reached RMB272 million (AUD56 million), approximately 15% of the university’s research spending and an increase of around 50% over the previous five years.BUCT specialises in the development and application of critical materials for the defence industry. Its research on carbon fibres has been applied to the aerospace industry.BUCT holds secret-level security credentials, allowing it to participate in classified defence and weapons technology projects.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Chemical Technology (北京化工大学)"

Table 862. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-university-of-chemical-technology

Beijing University of Posts and Telecommunications (北京邮电大学)

BUPT is subordinate to the Ministry of Education in addition to being jointly constructed by the Ministry of Industry and Information Technology. BUPT is one of eight Chinese universities known to have received top-secret security credentials. Since its establishment, the university has focused on information engineering and computer science, and has continued to produce important defence and security technology research.The School of Cyberspace Security is home to one of the university’s two defence laboratories—the Key Laboratory of Network and Information Attack & Defense Technology of Ministry of Education—which carries out research for the Chinese military related to cyber attacks.BUPT is a member of several military-civilian fusion (MCF) alliances and has been awarded for its contributions to MCF and the PLA. During the past three years, major employers of BUPT graduates include the Ministry of State Security, the Ministry of Public Security and MIIT. This suggests a close relationship between BUPT and China’s security and intelligence agencies.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Posts and Telecommunications (北京邮电大学)"

Table 863. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-university-of-posts-and-telecommunications

Central South University (中南大学)

Out of all universities subordinate to the MOE, CSU reportedly receives the most military research funding and was the first to receive a weapons production license. In 2008 and 2011 respectively, the defence industry agency SASTIND and the Ministry of Education (MOE) signed agreements to jointly supervise CSU. Under this arrangement, SASTIND committed to expanding CSU’s involvement in defence research and support the development of its School of Aeronautics and Astronautics and Military Industry Technology Research Institute.CSU’s defence research appears to focus on metallurgy, materials science, and aviation technology, including the development of heat-resistant materials for aeroplane and rocket engines. The university has been involved in the development of China’s first atomic bomb, first intermediate-range ballistic missile, and first nuclear submarine. In 2018, it signed a strategic cooperation agreement with the Chinese Academy of Launch Vehicle Technology, a subsidiary of China Aerospace Science and Technology Corporation that is included on the US BIS Entity List for its involvement in developing rockets.

The tag is: misp-galaxy:china-defence-universities="Central South University (中南大学)"

Table 864. Table References
Links
https://unitracker.aspi.org.au/universities/central-south-university

Changchun University of Science and Technology (长春理工大学)

CUST is primarily supervised by the Jilin Provincial Government but has also been under the administration of SASTIND and its predecessors for over 30 years over its history. The university specialises in photoelectric technology and has a strong focus on defence research. CUST describes itself as having ‘safeguarding national defence as its sublime responsibility and sacred mission.’CUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armaments science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). In April 2018, CUST established the School of Artificial Intelligence (人工智能学院) and the Artificial Intelligence Research Institute (人工智能研究院 ). CUST researchers working on AI are likely involved in research related to facial recognition technology.

The tag is: misp-galaxy:china-defence-universities="Changchun University of Science and Technology (长春理工大学)"

Table 865. Table References
Links
https://unitracker.aspi.org.au/universities/changchun-university-of-science-and-technology

China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)

CARDC claims to be China’s largest aerodynamics research and testing base. It hosts the State Key Laboratory of Aerodynamics (空气动力学国家重点实验室), which includes five wind tunnels and a large computer cluster. CARDC is heavily involved in research on hypersonics.While CARDC is a military unit, its website does not mention this. The PLA officers leading the facility are instead pictured on its website in civilian clothes(pictured: CARDC director, Major General Fan Zhaolin (范召林) in uniform (above) and in civilian attire on CARDC’s website (below).

The tag is: misp-galaxy:china-defence-universities="China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)"

Table 866. Table References
Links
https://unitracker.aspi.org.au/universities/china-aerodynamics-research-and-development-center

China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)

CASIC specialises in defence equipment and aerospace products, particularly short- and medium-range missiles. CASIC is a leading provider to the Chinese military of high-end capabilities such as air-defence, cruise, and ballistic missile systems along with space launch vehicles, micro-satellites and anti-satellite interceptors, according to Mark Stokes and Dean Cheng. CASIC employs over 146,000 employees and is on the Fortune 500 list with revenue exceeding USD37 billion (AUD55 billion).Although defence products form part of CASIC’s main product line, the company also produces products for civilian customers such as electronics, communications equipment and medical equipment. Nevertheless, CASIC claims that it ‘will always uphold its core value of ranking national interests above all’, which indicates that civilian products receive less priority than defence equipment.

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)"

Table 867. Table References
Links
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-industry-corporation

China Aerospace Science and Technology Corporation (中国航天科技集团)

CASC was established in 1999 as a defence aerospace conglomerate. The company is primarily focused on ‘developing carrier rockets, various kinds of satellites, … and tactical missile systems.’ With revenues nearing USD38 billion (AUD55 billion), CASC employs nearly 180,000 personnel and is on the Fortune 500 list.PLA experts Mark Stokes and Dean Cheng have noted that CASC’s main products for the PLA include ‘ballistic missiles and space launch vehicles, large solid rocket motors, liquid fuelled engines, satellites, and related sub-assemblies and components.’ The Federation of American Scientists claims CASC is particularly advanced in high-energy propellant technology, satellite applications, strap-on boosters and system integration.CASC maintains an investment business which may be geared towards civilian purposes, according to Bloomberg. The Federation of American Scientists notes that some civilian product lines for CASC include ‘machinery, chemicals, communications equipment, transportation equipment, computers, medical care products and environmental protection equipment.’CASC oversees multiple research academies, which have been separately identified by Mark Stokes and Dean Cheng and by the Nuclear Threat Initiative.The Nuclear Threat Initiative has identified that CASC has the following subordinate companies:

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Technology Corporation (中国航天科技集团)"

Table 868. Table References
Links
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-technology-corporation

China Coast Guard Academy (中国人民武装警察部队海警学院)

The China Coast Guard Academy is an institution of higher learning that trains personnel for entry into China’s maritime border defence agency. The academy teaches conducts research and training in maritime law enforcement, warship technology as well as surveillance and intelligence disciplines.The China Coast Guard Academy established the Large Surface Vessel Operation and Simulation Laboratory (大型船艇操纵仿真实验室) in 2016, which focuses on the development of white-hulled boats for the China Coast Guard.

The tag is: misp-galaxy:china-defence-universities="China Coast Guard Academy (中国人民武装警察部队海警学院)"

Table 869. Table References
Links
https://unitracker.aspi.org.au/universities/china-coast-guard-academy

China Electronics Corporation (中国电子信息产业集团有限公司)

CEC is a state-owned conglomerate that produces dual-use electronics. The company was established in 1989 to produce semi-conductors, electronic components, software and telecommunications products. The company describes itself as a defence industry conglomerate.CEC is one of China’s largest companies with nearly 120 thousand employees. CEC claims to hold 22 subordinate enterprises and 14 listed companies. Global Security has provided a list of CEC’s 36 member companies in English.CEC is divided into two operational groups. First is the China Electronics Party Institute (中国电子党校), which provides disciplinary oversight and organises communist party activities within CEC. Second is the Science and Technology Committee (科学技术委员会), which is responsible for research and development within CEC.CEC’s defence electronics are developed by the Military Engineering Department (军工部) within CEC’s Science and Technology Committee. Key defence electronics produced by CEC include tracking stations, radar technology, as well as command and control systems. The company maintains its own office for the management of classified information related to defence research. The Federation of American Scientists has identified CEC’s defence-related enterprises on a list that can be found here.

The tag is: misp-galaxy:china-defence-universities="China Electronics Corporation (中国电子信息产业集团有限公司)"

Table 870. Table References
Links
https://unitracker.aspi.org.au/universities/china-electronics-corporation

China Electronics Technology Group Corporation (中国电子科技集团公司)

CETC is a state-owned defence conglomerate that specialises in dual-use electronics. The company was established in 2002 by bringing dozens of research institutes administered by the Ministry of Information Industry, the predecessor to the Ministry of Industry and Information Technology, under one umbrella.CETC is one of the world’s largest defence companies. It claims to have 523 subordinate units and companies and 160,000 employees.CETC divides its defence electronics products into seven categories: air base early warning, integrated electronic information systems, radar, communication and navigation, electronic warfare, UAVs and integrated IFF (identification, friend or foe). CETC also provides technology used for human rights abuses in Xinjiang, where approximately 1.5m are held in re-education camps.Several CETC research institutes and subsidiaries have been added to the US Government’s entity list, restricting exports to them on national security grounds. CETC has been implicated by the US Department of Justice in at least three cases of illegal exports.CETC has a large international market and has also expanded its international research collaboration in recent years. It has a European headquarters in Graz, Austria, and has invested in the University of Technology Sydney.

The tag is: misp-galaxy:china-defence-universities="China Electronics Technology Group Corporation (中国电子科技集团公司)"

Table 871. Table References
Links
https://unitracker.aspi.org.au/universities/china-electronics-technology-group-corporation

China National Nuclear Corporation (中国核工业集团有限公司)

CNCC is the leading state-owned enterprise for China’s civilian and military nuclear programs. It consists of more than 200 subordinate enterprises and research institutes, many of which are listed on the Nuclear Threat Initiative website. In 2018, CNNC took over China’s main nuclear construction company, China Nuclear Engineering and Construction Group (中国核工业建设集团).The company is organized into eight industrial sectors, including nuclear power, nuclear power generation, nuclear fuel, natural uranium, nuclear environmental protection, application of nuclear technologies, non-nuclear civilian products and new energy sources. CNNC is mainly engaged in research and development, design, construction and production operations in the fields of nuclear power, nuclear fuel cycle, nuclear technology application, and nuclear environmental protection engineering.Because of the dual-use nature of nuclear technologies, the nuclear industry is a typical military-civil fusion industry. Naval nuclear power technology and nuclear reactor technology in the reactor core, fuel assembly, safety and security, and radioactive waste treatment all use the same or very similar processes. In March 2019, CNNC established an military-civil fusion fund dedicated to dual-use nuclear technology research and design.Two CNNC subsidiaries have been added to the US Government’s Entity List, restricting exports to them on national security grounds.CNNC has cooperated with U.S. Westinghouse Electric to construct AP1000 nuclear power plants. The company also has a significant overseas presence, signing agreements for joint research with U.S., French, Canadian, U.K., Russian and Argentinian companies.

The tag is: misp-galaxy:china-defence-universities="China National Nuclear Corporation (中国核工业集团有限公司)"

Table 872. Table References
Links
https://unitracker.aspi.org.au/universities/china-national-nuclear-corporation

China North Industries Group (中国兵器工业集团公司)

Norinco Group was established in 1999 as a state-owned defence conglomerate devoted to the development and production of armaments for Chinese and foreign defence customers. Its main defence products include artillery and tear gas, air defence and anti-missile systems, anti-tank missiles and precision-guided munitions as well as armoured vehicles such as main battle tanks and infantry combat vehicles. Bloomberg reports that Norinco Group’s civilian products include various engineering services and heavy-duty construction equipment. Norinco Group employs over 210,000 personnel, has revenues exceeding US$68.8 billion and is listed on the Fortune 500.Norinco Group has hundreds of subsidiaries and subordinate research institutes in China and around the world that have been catalogued by the International Peace Information Service and Omega Research Foundation in their working paper on the company and on Norinco Group’s website.Norinco Group’s Institute of Computer Application Technology (中国兵器工业计算机应用技术研究所) was one of the first adopters of internet technology and remains a leading company for research into network security. The institute hosts four internet research centres and is reported to work with the National Administration for State Secrets Protection (国家保密局) on the Information Security and Testing and Evaluation Centre (涉密信息系统安全保密测评中心).

The tag is: misp-galaxy:china-defence-universities="China North Industries Group (中国兵器工业集团公司)"

Table 873. Table References
Links
https://unitracker.aspi.org.au/universities/china-north-industries-group

China People’s Police University (中国人民警察大学)

The China People’s Police University is an institution of higher learning devoted to training active duty police officers and firefighters in command and management as well as specialist technical officers. The curriculum is separated into two main streams, one for police officers and the other for firefighters. Its police disciplines include immigrant management, entry-exit and border control management, security intelligence, cyber-security, and political work. Its firefighting disciplines include firefighting engineering, electronic information engineering, and nuclear and biochemical fire control.Research facilities at the university include:

The tag is: misp-galaxy:china-defence-universities="China People’s Police University (中国人民警察大学)"

Table 874. Table References
Links
https://unitracker.aspi.org.au/universities/china-peoples-police-university

China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)

CSIC was established as one of China’s primary state-owned defence companies on 1 July 1999. CSIC is the PLA Navy’s largest supplier of weapons platforms, accounting for nearly 80 per cent of all armaments. CSIC’s signature products include conventional and nuclear submarines, warships and torpedoes, as well as the Liaoning aircraft carrier program.CSIC maintains a civilian shipbuilding program alongside its program of supplying the PLA Navy. CSIC’s civilian work includes the production of oil and chemical tankers, container ships, bulk carriers and engineering ships.On 2 July 2019, it was announced that CSIC and the China State Shipbuilding Corporation would merge. According to Janes Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’ Nikkei has listed some of CSIC’s main subsidiaries here.

The tag is: misp-galaxy:china-defence-universities="China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)"

Table 875. Table References
Links
https://unitracker.aspi.org.au/universities/china-shipbuilding-industry-corporation

China South Industries Group (中国兵器装备集团有限公司)

CSGC is a leading producer of armaments for the People’s Liberation Army. It was founded in 1999 and works on technologies such as advanced munitions, mobile assault weapons, lights armaments, information optoelectronics and counter-terrorism equipment. CSGC also maintains civilian product lines focused on the oil and energy sector, but most of the company’s attention goes to developing armaments. The company employs nearly 200,000 personnel, its revenue approaches USD34 billion (AUD50 billion) and it is listed as a Fortune 500 company.CSGC holds a controlling share in more than 60 subsidiaries. 32 of these are listed on the company’s website.

The tag is: misp-galaxy:china-defence-universities="China South Industries Group (中国兵器装备集团有限公司)"

Table 876. Table References
Links
https://unitracker.aspi.org.au/universities/china-south-industries-group

China State Shipbuilding Corporation (中国船舶工业集团有限公司)

CSCC was established as one China’s primary state-owned weapons companies on 1 July 1999 to build ships for military and civilian customers. CSSC markets itself as as the ‘backbone’ of the Chinese navy and its core products include a variety of warships and support vessels. Alongside its program supporting the PLA Navy, Bloomberg notes that CSSC ‘produces oil tankers, bulk carriers, conditioner vessels, deepwater survey ships, and marine equipment.’On 2 July 2019, it was announced that the China Shipbuilding Industry Corporation and the CSSC would merge. According to Jane’s Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion (AUD178 billion) and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’

The tag is: misp-galaxy:china-defence-universities="China State Shipbuilding Corporation (中国船舶工业集团有限公司)"

Table 877. Table References
Links
https://unitracker.aspi.org.au/universities/china-state-shipbuilding-corporation

China University of Geosciences (Wuhan) (中国地质大学)

CUG is subordinate to the Ministry of Education and also supervised by China’s Ministry of Land and Resources. It is actively engaged in defence research and training on geology, hosting the defence-focused Ministry of Education Key Laboratory on Geological Exploration and Evaluation. The laboratory was established in 2018, has 56 staff, and trains students in ‘military geology’.CUG gained secret-level security credentials in 2009, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="China University of Geosciences (Wuhan) (中国地质大学)"

Table 878. Table References
Links
https://unitracker.aspi.org.au/universities/china-university-of-geosciences-wuhan

China University of Mining and Technology (中国矿业大学)

CUMT is subordinate to the Ministry of Education and specialises in engineering and other mining and industry-related disciplines. It engages in low levels of defence research.CUMT’s defence research revolves around manufacturing and design, materials science, control science, electronic components, power and energy, and bionics. It appears to be involved in the construction and design of underground bunkers for the military. The academic committee of its State Key Laboratory for Geomechanics and Deep Underground Engineering (深部岩石力学与地下工程国家红点实验室) is headed by PLA underground engineering expert Qian Qihu (钱七虎).

The tag is: misp-galaxy:china-defence-universities="China University of Mining and Technology (中国矿业大学)"

Table 879. Table References
Links
https://unitracker.aspi.org.au/universities/china-university-of-mining-and-technology

Chinese Academy of Engineering Physics (中国工程物理研究院)

CAEP was founded in 1958 and now has over 24,000 employees. It is headquartered in Mianyang, Sichuan Province, but also has facilities in Chengdu and Beijing. Notably, Mianyang is home to a military-civil fusion (MCF) demonstration base—the Sichuan Mianyang High-Technology City. Sichuan Military District Commander Jiang Yongshen (姜永申) in 2016 stressed the important role that Mianyang plays in China’s larger science and technology development and the significance of its military-civil fusion (MCF) demonstration base.The academy is best known for nuclear weapons, but also carries out research on directed-energy weapons. CAEP’s four main tasks are to develop nuclear weapons, research microwaves and lasers for nuclear fusion ignition and directed-energy weapons, study technologies related to conventional weapons, and deepen military-civil fusion. It claims that its research covers 260 specialising, primarily in the broad areas of physics and mathematics, mechanics and engineering, materials and chemistry, electronics and information, and optics and electrical engineering.CAEP hosts part of the Tianhe-2 supercomputer, one of the worlds fastest supercomputers.Despite the sensitivity of its work, CAEP has expanded its international presence in recent years. It claims to send hundreds of scientists overseas to study or work as visiting scholars. CAEP has also used Chinese government talent recruitment schemes such as the Thousand Talents Plan to recruit dozens of scientists from abroad. By 2015, CAEP had recruited 57 scholars through the Thousand Talents Plan, making it one of the largest recruiters of Thousand Talents Plan scholars.CAEP maintains strong collaborative relationships with Chinese civilian universities. It runs a joint laboratory with the University of Electronic Science and Technology of China and collaborates with universities and research institutions including the Chinese Academy of Sciences, the University of Science and Technology of China, Shandong University, Southwest University of Science and Technology, Sichuan University, Jilin University, Peking University and Tsinghua University. CAEP sponsors postgraduate students in many of these institutions who are required to work there for five years after graduating.

The tag is: misp-galaxy:china-defence-universities="Chinese Academy of Engineering Physics (中国工程物理研究院)"

Table 880. Table References
Links
https://unitracker.aspi.org.au/universities/chinese-academy-of-engineering-physics

Chongqing University (重庆大学)

CQU is a leading Chinese research institution subordinate to the Ministry of Education. Chongqing University is home to at least two laboratories devoted to defence research on nanotechnology and control systems. An institution accredited to conduct classified research, Chongqing University is active in improving its security culture with respect to the safeguarding of official secrets.In December 2016, the Ministry of Education entered an agreement with defence industry agency SASTIND to advance military-civil fusion at Chongqing University. Following this agreement, Chongqing University established the defence-focused Ministry of Education Key Laboratory for Complex Systems Safety and Autonomous Control, which works on control systems engineering in May 2018.

The tag is: misp-galaxy:china-defence-universities="Chongqing University (重庆大学)"

Table 881. Table References
Links
https://unitracker.aspi.org.au/universities/chongqing-university

Chongqing University of Posts and Telecommunications (重庆邮电大学)

CQUPT is involved in research on wireless network engineering and testing, next-generation wideband wireless communication, computer networking and information security, intelligent information processing, advanced manufacturing, micro-electronics and specialized chip design. It ranks among the top 100 universities in China for science and technology.The university is supervised by the Ministry of Industry and Information Technology and the Chongqing Municipal Government. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Posts and Telecommunications (重庆邮电大学)"

Table 882. Table References
Links
https://unitracker.aspi.org.au/universities/chongqing-university-of-posts-and-telecommunications

Chongqing University of Technology (重庆理工大学)

CQUT is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). However its involvement in defence research does not appear as expansive as the other B8 members and it is a relatively low-ranked university. In 2017, its president stated that ‘Chongqing is an important site for the weapons industry, but its military-industrial research and development ability has not yet upgraded.’ Unlike the other members of the B8, SASTIND does not appear to supervise the university.The university has links to Norinco Group and China South Industries Group, China’s largest weapons manufacturers, and was under the supervision of the conglomerates’ predecessor, China Ordnance Industry Corporation, until 1999. In 2017 and 2018, it signed a partnerships with four local defence companies to collaborate on research and training.In 2011, CQUT received secret-level security credentials, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Technology (重庆理工大学)"

Table 883. Table References
Links
https://unitracker.aspi.org.au/universities/chongqing-university-of-technology

Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)

COMAC was established in 2008 as a state-owned manufacturer of large commercial aircraft. The company oversees eleven subsidiaries that focus on various aspects of aircraft production. A list of COMAC’s subordinate companies can be found in English on the company’s website.Despite its focus on commercial aircraft, China’s Ministry of Industry and Information Technology has referred to it as a defence industry conglomerate. The company maintains strong links to China’s defence industry and some of its leadership is drawn from former executives at state-owned military aircraft and missile manufacturers. China’s leading producer of military aircraft, the Aviation Industry Corporation of China (AVIC), also holds a 10 per cent share in COMAC. COMAC supports the continued development of China’s defence industry by awarding ‘national defence technology scholarships’ to Chinese university students.COMAC’s signature passenger aircraft, the C919, offers an example of how the company could use its civilian aircraft production for military purposes. Numerous Chinese analysts have studied Boeing’s conversion of the 737 into the P-8 Poseidon and E-7A surveillance aircraft and argue that the C919 could also be retrofitted for early warning as well as anti-surface and anti-submarine warfare missions. With a greater flight range than China’s other military aircraft, a retrofitted C919 for maritime surveillance operations could reduce China’s dependence on artificial air bases in the South China Sea which currently render aircraft vulnerable to corrosion due to harsh weather conditions. Vice-Chairman of the Central Military Commission, Zhang Youxia, reportedly expressed an interest in learning from American companies in converting civilian aircraft into military aircraft while inspecting COMAC’s C919.

The tag is: misp-galaxy:china-defence-universities="Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)"

Table 884. Table References
Links
https://unitracker.aspi.org.au/universities/commercial-aircraft-corporation-of-china

Criminal Investigation Police University of China (中国刑事警察学院)

CIPUS was founded in May 1948 and underwent several name changes, but was upgraded in 1981 to become the first police university offering a specialised undergraduate degree program. It runs a national engineering laboratory, two MPS key laboratories, and provincial key laboratories. It is focused on training in criminal investigation, criminology science and technology and criminal law.The university also has relationships with companies that provide the technological tools that contribute to the PRC’s public security apparatus. For instance, it has a relationship with the company Haiyun Data on public security intelligence. Haiyun provides data visualization services for MPS bureaus across China.

The tag is: misp-galaxy:china-defence-universities="Criminal Investigation Police University of China (中国刑事警察学院)"

Table 885. Table References
Links
https://unitracker.aspi.org.au/universities/criminal-investigation-police-university-of-china

Dalian Minzu University (大连民族大学)

DLMU was established in 1984 as an institution that researches China’s ethnic minorities. The university is overseen by the State Ethnic Affairs Commission (SEAC), the Liaoning Provincial Government and the Dalian Municipal Government.Scientific disciplines taught by DLMU include communications and information engineering, machine engineering, civil engineering and environmental science. DLMU also researches political thought and minority groups of northeast China.DLMU currently hosts the Dalian Key Lab of Digital Technology for National Culture (大连市民族文化数字技术重点实验室). Researchers at laboratory carry out research on facial recognition of ethnic minorities. The laboratory has collaborated with an academic from Curtin University on research related to the facial recognition of Tibetans, Koreans and Uyghurs—over one million of whom have disappeared into re-education camps. DLMU researchers are working on a database of facial and optical movements across different ethnic groups.DLMU also hosts the State Ethnic Affairs Commission Key Laboratory of Intelligent Perception and Advanced Control (国家民委智能感知与先进控制重点实验室), housed within the university’s College of Electromechanical Engineering (机电工程学院). The laboratory has done work on convolutional neural networks for visual image recognition, which could have applications for surveillance technology.DLMU’s party committee has an active United Front Work Department. The department supervises non-CCP members and students returning from overseas study. Management of religious and ethnic minorities are likely to be other priorities for the department.

The tag is: misp-galaxy:china-defence-universities="Dalian Minzu University (大连民族大学)"

Table 886. Table References
Links
https://unitracker.aspi.org.au/universities/dalian-minzu-university

Dalian Naval Academy (中国人民解放军海军大连舰艇学院)

The Dalian Naval Academy is one of the main training colleges for junior officers and cadets in the PLA Navy. The academy focuses on maritime navigation technology, communications engineering, electronic information engineering, weapons systems engineering, surveying and control science.Scientists from the Dalian Naval Academy produce publications on a variety of defence topics, including:

The tag is: misp-galaxy:china-defence-universities="Dalian Naval Academy (中国人民解放军海军大连舰艇学院)"

Table 887. Table References
Links
https://unitracker.aspi.org.au/universities/dalian-naval-academy

Dalian University of Technology (大连理工大学)

DLUT is directly under the administration of the Ministry of Education. In 2018, it came under the supervision of defence industry agency SASTIND as part of the government’s efforts to deepen military-civil fusion in the university sector. In 2006, the university received secret-level security credentials, allowing it to participate in classified defence technology projects. Since then, it has expanded cooperation with the PLA Navy and joined several military-civil fusion innovation alliances.In 2015, the university established a defence laboratory in the School of Mechanical Engineering. The laboratory was proposed by a professor within the University’s Institute of Science and Technology. The Institute of Science and Technology is primarily responsible for high-tech project management, where they manage projects for the 973 Program, the National Natural Science Foundation, and the Ministry of Education.

The tag is: misp-galaxy:china-defence-universities="Dalian University of Technology (大连理工大学)"

Table 888. Table References
Links
https://unitracker.aspi.org.au/universities/dalian-university-of-technology

Donghua University (东华大学)

DHU is subordinate to the Ministry of Education. It is actively involved in defence research on materials. It hosts the Key Laboratory of High Performance Fibers & Products, a defence-focused laboratory involved in materials science and textiles engineering research for China’s defence industry and weapons systems. The laboratory is specifically involved in developing materials for weapons casings, vehicular armour, aviation and cabling. The university holds secret-level security credentials, allowing it to participate in classified defence research projects.DHU claims that much of its research has been applied to fields such as defence technology and aviation, and contributed towards China’s space program and Beidou satellite navigation system. In 2018, the university signed a strategic cooperation agreement with the state-owned Jihua Group (际华集团) for collaboration on textiles to meet the military’s needs.

The tag is: misp-galaxy:china-defence-universities="Donghua University (东华大学)"

Table 889. Table References
Links
https://unitracker.aspi.org.au/universities/donghua-university

East China University of Technology (东华理工大学)

ECUT was founded in 1956 as the first institution of higher education for China’s nuclear industry. Since 2001, it has been subject to four ‘joint construction’ agreements between the Jiangxi Provincial Government and defence industry agency SASTIND or its predecessor COSTIND. These agreements are designed to develop the university’s involvement in defense-related research and training. The Ministry of Natural Resources and defence conglomerate China National Nuclear Corporation are also involved in supervising and supporting ECUT.ECUT carries out defence research related to nuclear science and hosts a defence laboratory on radioactive geology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects. In 2006, the East China University of Technology National Defence Technology Institute (东华理工大学国防科技学院) was established.

The tag is: misp-galaxy:china-defence-universities="East China University of Technology (东华理工大学)"

Table 890. Table References
Links
https://unitracker.aspi.org.au/universities/east-china-university-of-technology

Engineering University of the CAPF (中国人民武装警察部队工程大学)

The Engineering University of the CAPF is an institution devoted to training personnel in China’s paramilitary service, the People’s Armed Police, in command and engineering disciplines. The university focuses on paramilitary information engineering, paramilitary equipment technology, non-lethal weapons, military communications and mathematical cryptography. Students of the university can select majors from disciplines such as communications engineering, information security, military big data engineering, management science and engineering, and mechanical engineering.The Engineering University of the CAPF hosts the Key Military Laboratory for Non-Lethal Weapons (非致命武器等全军重点实验室), the Big Data and Cloud Computing Laboratory (大数据与云计算实验室), and the Command Automation Training Centre (指挥自动化培训中心), indicating expertise in these areas.The Engineering University of the CAPF has collaborated significantly with a Beijing-based company called SimpleEdu (北京西普阳光教育科技股份有限公司), focusing primarily on social media and internet research. Below is a list of initiatives with which the Engineering University of the CAPF has collaborated:

The tag is: misp-galaxy:china-defence-universities="Engineering University of the CAPF (中国人民武装警察部队工程大学)"

Table 891. Table References
Links
https://unitracker.aspi.org.au/universities/engineering-university-of-the-capf

Fudan University (复旦大学)

Fudan University is among China’s best universities. It was ranked 104th in the world by Times Higher Education in 2019. The university appears to engage high levels of work for the military on materials science, including stealth technology.All defence-related projects and matters in Fudan are managed by the university’s Institute of Special Materials and Technology (专用材料与装备技术研究院) and Defence Industry Secrets Committee (复旦大学军工保密委员会). The Institute of Special Materials and Technology specialises in defence research and works on simulations, precision manufacturing, and materials. Professor Ye Mingxin, the institute’s director, is also an advisor to the PLA and defence companies on materials science. Fudan University’s Materials Science Department includes one professor who is described as specifically being a ‘defence system professor’, which may refer to Professor Ye. In 2011, Fudan established a State Secrets Academy (国家保密学院), in partnership with China’s National Administration of State Secrets Protection (国家保密局). The institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Fudan University (复旦大学)"

Table 892. Table References
Links
https://unitracker.aspi.org.au/universities/fudan-university

Fuzhou University (福州大学)

Fuzhou University is overseen by the Fujian Provincial Government and a focus on engineering disciplines. It does not appear to engage in significant levels of defence research. However, the Fuzhou University Military-Civil Fusion Innovation Research Institute (福州大学军民融合创新研究院) was jointly established in 2016 by Fuzhou University along with a number defence companies and military research institutions under the guidance of Fujian Provincial Government’s National Defence Industry Office (省国防科工办). Furthermore, the Fujian Provincial People’s Government and SASTIND entered an agreement to jointly develop the university as part of China’s military-civil fusion initiative in 2018. This indicates that the university will expand its involvement in defence research. The university has held second-class weapons R&D secrecy credentials since 2006.

The tag is: misp-galaxy:china-defence-universities="Fuzhou University (福州大学)"

Table 893. Table References
Links
https://unitracker.aspi.org.au/universities/fuzhou-university

Guilin University of Electronic Science and Technology (桂林电子科技大学)

GUET specialises in electronics, communications and computer science. It engages in growing levels of defence research, indicated by the decision to place it under the joint administration of the defence industry agency SASTIND and the Guangxi Provincial Government in 2018.The PLA describes GUET as ‘Guangxi Province’s only university to have long carried out defence research.’ Areas of defence research at the university include communications technology, materials science, signals processing, microwaves, satellite navigation, and command and control. Since 2007, the university has held secret-level security credentials, enabling it to participate in classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Guilin University of Electronic Science and Technology (桂林电子科技大学)"

Table 894. Table References
Links
https://unitracker.aspi.org.au/universities/guilin-university-of-electronic-science-and-technology

Hangzhou Dianzi University (杭州电子科技大学)

HDU specialises in information technology and has been jointly supervised by the Zhejiang Provincial Government and defence industry agency SASTIND since 2007. The university is Zhejiang Province’s only provincial-level higher education institution to have officially designated national defence disciplines.HDU’s leadership is closely integrated with its defence research. Since its creation in 2008, the university’s main defence laboratory has been run by Xue Anke, who was the university’s president until 2017. While president, Xue served on an expert advisory committee to the PLA on information technology. He is also a member of the Zhejiang Provincial Expert Committee on Artificial Intelligence Development.Key areas of defence research at HDU include electronics, artificial intelligence, military-use software, and communications and information systems. HDU has been expanding its research on artificial intelligence, establishing a school of artificial intelligence and an artificial intelligence research institute in 2018.HDU holds secret-level security credentials, allowing it to undertake classified weapons and defence technology projects. In 2011, the Zhejiang State Secrets Bureau established a State Secrets Academy in HDU. The academy, one of twelve in the country, trains personnel in managing and protecting confidential information.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Dianzi University (杭州电子科技大学)"

Table 895. Table References
Links
https://unitracker.aspi.org.au/universities/hangzhou-dianzi-university

Hangzhou Normal University (杭州师范大学)

Hangzhou Normal University is a Chinese university subordinate to the Zhejiang Provincial Government. The university was initially established in 1978 as Hangzhou Normal College (杭州师范学院) to focus on teacher training, art education as well as research in the humanities and natural sciences. Hangzhou Normal University retains this broad academic focus and oversees faculties such as the Alibaba Business School (阿里巴巴商学院).Hangzhou Normal University collaborates with China’s MPS on the development of surveillance technology. In March 2019, the university entered into an agreement with the Zhejiang Police College, the Zhejiang Public Security Office, and Hikvision—China’s leading producer of video surveillance technology—to establish a joint laboratory. The joint laboratory reportedly focuses on applying big data analysis, cloud computing and internet of things technology to improve China’s policing capability.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Normal University (杭州师范大学)"

Table 896. Table References
Links
https://unitracker.aspi.org.au/universities/hangzhou-normal-university

Harbin Engineering University (哈尔滨工程大学)

HEU is one of China’s top defence research universities. The university is a leading centre of research and training on shipbuilding, naval armaments, maritime technology and nuclear power. 36.46% of the university’s 2017 graduates who found employment were working in the defence sector.As one of the group of universities subordinate to the Ministry of Industry and Information Technology (MIIT) known as the ‘Seven Sons of National Defence’ (国防七子), HEU is an integral part of China’s defence industry. HEU’s achievements include producing China’s first experimental submarine, ship-based computer, and hovercraft. The university claims to have participated in most of the PLA Navy’s submarine, undersea weapon, and warship projects.HIT’s role in the defence industry is highlighted by its formal affiliation with the PLA Navy, which became a supervising agency of the university in 2007. Under the supervisory agreement, the PLA Navy committed to developing HEU’s capacity as a platform for research and development in military technology and for training defence personnel. The following year, HEU established a Defence Education Institute to train reserve officers. Since then, the institute has trained at least 1,700 officers. HEU also maintains a joint laboratory with the PLA Navy Coatings Analysis and Detection Center.HEU is an important hub research on nuclear engineering, including on nuclear submarines. In 2018, it signed a co-construction agreement with defence conglomerate China National Nuclear Corporation (CNNC). In 2019, HEU and CNNC established the China Nuclear Industry Safety and Simulation Technology Research Institute. HEU also runs a joint laboratory on energetic materials (such as explosives) with the Chinese Academy of Engineering Physics, China’s nuclear warhead research organisation.

The tag is: misp-galaxy:china-defence-universities="Harbin Engineering University (哈尔滨工程大学)"

Table 897. Table References
Links
https://unitracker.aspi.org.au/universities/harbin-engineering-university

Harbin Institute of Technology (哈尔滨工业大学)

HIT is one of China’s top defence research universities. As one of seven universities run by MIIT, it is known as one of the ‘Seven Sons of National Defence’ (国防七子). The Seven Sons of National Defence all have close relationships with the Chinese military and are core training and research facilities for China’s defence industry. In 2018, HIT spent RMB1.97 billion (AUD400 million)—more than half of its research budget—on defence research. 29.96% of the university’s graduates that year who found employment were working in the defence sector.HIT has been described by Chinese state media as having ‘defence technology innovation and weapons and armaments modernisation as its core’. It excels in satellite technology, robotics, advanced materials and manufacturing technology, and information technology. Other areas of defence research at HIT include nuclear technology, nuclear combustion, nuclear power engineering and electronic propulsion and thruster technology, many of which are officially designated as skill shortage areas for the Chinese defence industry.HIT is best known for its aerospace research and has a close relationship with China Aerospace Science and Technology Corporation (CASC), a state-owned defence company that specialises in long-range ballistic missile and satellite technology. Since 2008, HIT and CASC have operated a joint research centre. Defence conglomerates CASC, CASIC, AVIC and CETC rank among the top employers of HIT graduates. The university is a major source of cyber talent and receives funding for information security research from the MSS, China’s civilian intelligence agency. A report prepared for the US–China Security and Economic Review Commission identified it as one of four universities focused on research with applications in information warfare. In 2003, HIT founded its Information Countermeasures Technology Research Institute (哈尔滨工业大学信息对抗技术研究所).

The tag is: misp-galaxy:china-defence-universities="Harbin Institute of Technology (哈尔滨工业大学)"

Table 898. Table References
Links
https://unitracker.aspi.org.au/universities/harbin-institute-of-technology

Harbin University of Science and Technology (哈尔滨理工大学)

HRBUST focuses on engineering, science, economics, management, philosophy, literature, law and education. In 2015, it was placed under the joint supervision of the Heilongjiang Provincial Government and SASTIND, which is an arrangement designed to develop the university’s involvement in defence-related research and training.HRBUST’s relationship with SASTIND indicates that it will continue expanding its role in defence research. Currently, the university has at least four designated national defense disciplines and plans to build a national defense key laboratory. It holds secret-level security credentials.

The tag is: misp-galaxy:china-defence-universities="Harbin University of Science and Technology (哈尔滨理工大学)"

Table 899. Table References
Links
https://unitracker.aspi.org.au/universities/harbin-university-of-science-and-technology

Hebei University (河北大学)

Hebei University is Hebei Province’s only comprehensive university. The university subordinate to the Ministry of Education and also supervised by the Hebei Provincial Government and defence industry agency SASTIND. Its supervision by SASTIND, which began in 2013, is designed to support the university in ‘strengthening its national defence characteristics’.HBU appears to be relatively secretive about its defence research. In 2017, SASTIND designated an area of research at the university’s College of Physics Science and Technology as a ‘discipline with defence characteristics’. An article about this on the university’s news site has been taken down and deliberately did not specify the discipline. However, a speech given by the head of the college named military-use power and energy as HBU’s only defence discipline. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.In 2017, HBU held a forum on military-civil fusion for technology and innovation to ‘uncover the university’s potential for defence-industry technological research’ and encourage greater integration with defence companies.

The tag is: misp-galaxy:china-defence-universities="Hebei University (河北大学)"

Table 900. Table References
Links
https://unitracker.aspi.org.au/universities/hebei-university

Hebei University of Science and Technology (河北科技大学)

HEBUST engages in moderate but growing levels of defence research. It has been supervised by defence industry agency SASTIND since 2013, when SASTIND and the Hebei Provincial Government agreed to jointly develop the university’s involvement in defence research. By 2017, the university claimed to have completed 300 defence projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.While the university does not appear to have any dedicated defence laboratories, it has described five of its laboratories as platforms for defence research. Areas of materials science, mechanical engineering and control science at HEBUST have been designated ‘disciplines with national defence charcteristics’ by SASTIND. HEBUST may also be pursuing greater integration between China’s defence needs and the university’s research on textiles engineering and biological fermentation.HEBUST states that is has developed close cooperation with China Electronics Technology Group Corporation’s 54th Research Institute, an organization blacklisted by the US Government Entity List. Defence industry conglomerate Aviation Industry Corporation of China also funds research at the university.

The tag is: misp-galaxy:china-defence-universities="Hebei University of Science and Technology (河北科技大学)"

Table 901. Table References
Links
https://unitracker.aspi.org.au/universities/hebei-university-of-science-and-technology

Hefei University of Technology (合肥工业大学)

HFUT a leading Chinese university subordinate to the Ministry of Education. It specialises in engineering and engages in growing levels of defence research, particularly in the fields of advanced materials, smart manufacturing and electronic information. As of 2018, HFUT was the only civilian university in Anhui Province fully certified to carry out military projects, holding secret-level security credentials, and had undertaken over 200 such projects.In 2018, the university came under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND. According to HFUT, this agreement ‘will powerfully advance the university’s development of national defence disciplines, training of talent for defence industry, and construction of defence industry and national defence research platforms.’Miao Wei, head of the Ministry of Industry and Information Technology, which oversees China’s defence industry, is a graduate of HFUT.

The tag is: misp-galaxy:china-defence-universities="Hefei University of Technology (合肥工业大学)"

Table 902. Table References
Links
https://unitracker.aspi.org.au/universities/hefei-university-of-technology

Heilongjiang Institute of Technology (黑龙江工程学院)

HLJIT is an engineering-focused university that engages in growing levels of defence research. In 2015, the Heilongjiang Provincial Government partnered with defence industry agency SASTIND to expand the university’s ability to ‘show its national defence characteristics and serve the national defence science and technology industry.’SASTIND has designated military-use power and energy, optoelectronics and laser technology, and computing as three ‘disciplines with national defence characteristics’ at HLJIT. In June 2016, HLJIT and ZTE jointly launched an MOE-ZTE ICT Product-Teaching Integration Innovation Base (教育部-中兴通讯ICT产教融合创新基地) and established the Heilongjiang School of Engineering-ZTE Information and Communications Technology College (黑龙江工程学院-中兴信息通信技术学院). ZTE has been reportedly barred from US government contracts.As it increases its implementation of military-civil fusion, HLJIT has developed relationships with defence conglomerates. The university is particularly close to China Aerospace Science and Technology Corporation (CASC), a leading state-owned manufacturer of long-range missiles and satellites. In 2017, HLJIT partnered with a subsidiary of CASC to establish a joint research centre, the Aerospace Smart City Research Institute. The subsidiary, Aerospace Shenzhou Smart System Technology Co., Ltd. (航天神舟智慧系统技术有限公司), specialises in smart city and informatization technology.HLJIT holds confidential-level security credentials, allowing it to participate in confidential defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Heilongjiang Institute of Technology (黑龙江工程学院)"

Table 903. Table References
Links
https://unitracker.aspi.org.au/universities/heilongjiang-institute-of-technology

Heilongjiang University (黑龙江大学)

HLJU is supervised by the Ministry of Education, the Heilongjiang Provincial Government and SASTIND. SASTIND’s supervision of the university is designed to promote its integration with China’s defence technology goals. In 2016, the year after HLJU came under SASTIND’s supervision, the university received third-class security credentials and funding for a national defence technology research project for the first time. Third-class security credentials allow the university to participate in confidential defence research projects. By 2018, HLJU claimed to have received RMB13 million (AUD2.7 million) in defence research funding.HLJU has close ties with Russian universities and is best known for its work in the Chemistry, Chemical Engineering and Materials Department, which entered the top 1 percent of ESI’s global rankings.

The tag is: misp-galaxy:china-defence-universities="Heilongjiang University (黑龙江大学)"

Table 904. Table References
Links
https://unitracker.aspi.org.au/universities/heilongjiang-university

Henan University of Science and Technology (河南科技大学)

HAUST is Henan province’s leading civilian university for defence research. In 2008, it became the first university in the province to receive security credentials allowing it to participate in classified weapons projects. In 2016, it became the province’s only university subject to a ‘joint-construction’ agreement with defence industry agency SASTIND, an arrangement designed to increase HAUST’s involvement in defence research. As early as 2009, the university stated that it had made great contributions to the defence and aviation industries, undertaking large amounts of defence research projects.HAUST describes itself as China’s primary university for research and training for the mechanical bearings (such as ball bearings) industry. SASTIND has designated three areas of research at the university as ‘disciplines with defence characteristics’, covering systems engineering, materials science and mechanics. The university is actively involved in military-civil fusion activities.The university claims to have made important contributions to the development of bearings for aircraft engines, satellites, and spacecraft. It states that it has resolved critical technological problems for specific weapons guidance systems, ballistic missile testing systems and an infrared targeting and interference emulation system that are probably used to test guided missiles.

The tag is: misp-galaxy:china-defence-universities="Henan University of Science and Technology (河南科技大学)"

Table 905. Table References
Links
https://unitracker.aspi.org.au/universities/henan-university-of-science-and-technology

Huazhong University of Science and Technology (华中科技大学)

HUST is one of China’s leading research institutions. While the university is subordinate to the Ministry of Education, it has also been supervised by the State Administration of Science, Technology and Industry for National Defense since 2012.The university hosts at least six laboratories dedicated to defence research. Its National Defence Research Institute reportedly oversees defence research in seven other HUST research centres. Artificial intelligence, shipbuilding, image processing, navigation technology, mechanical engineering, electronics, materials science and laser physics are focuses of HUST’s defence research.HUST has worked closely with the PLA and China’s defence industry. This collaboration includes the development artificial intelligence and imaging technology for weapons. The university’s work on pulsed power is linked to China’s nuclear and directed-energy weapons program. China’s state-owned defence conglomerates and China’s nuclear warhead facility sponsor dozens of HUST postgraduate students each year, who are required to work at their sponsoring organisation for at least five years after graduating.HUST holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence projects.

The tag is: misp-galaxy:china-defence-universities="Huazhong University of Science and Technology (华中科技大学)"

Table 906. Table References
Links
https://unitracker.aspi.org.au/universities/huazhong-university-of-science-and-technology

Hunan University (湖南大学)

HNU is a leading Chinese university subordinate to the Ministry of Education. In recent years, its participation in defence research appears to have grown substantially. In 2010, it established the National Supercomputer Center in Changsha jointly with the PLA National University of Defense Technology, which has since been placed on the US Government Entity List for its suspected role in nuclear weapons research.In 2011, China’s defence industry agency, SASTIND, entered a partnership with the MOE to expand the university’s participation in defence research and defence industry ties. This arrangement was renewed in 2016. In 2013, SASTIND and the Hunan Provincial Government also signed an agreement to jointly support the development of the university’s National Supercomputer Center.HNU holds secret-level security credentials, enabling it to participate in research and production for weapons and other defence projects.

The tag is: misp-galaxy:china-defence-universities="Hunan University (湖南大学)"

Table 907. Table References
Links
https://unitracker.aspi.org.au/universities/hunan-university

Hunan University of Science and Technology (湖南科技大学)

HNUST is an engineering-focused university founded in 2003. In 2016, it was subject to a ‘joint-construction’ agreement between the Hunan Provincial Government and defence industry agency SASTIND, an arrangement designed to develop the university’s involvement in defense-related research and training. The university has three designated defence research areas, is involved in weapons research, and has confidential-level security credentials.HNUST is home to two national defence key laboratories, one of which is in the School of Materials Science and Engineering. The university has also established its Intelligent Manufacturing Institute, which evolved from a provincial key laboratory and has connections to the Made in China 2025 strategy.HNUST is also linked to state-owned arms manufacturer Norinco Group. In 2018, it signed a strategic cooperation agreement with arms manufacturer Norinco’s National Defence Key Laboratory on Light Weapons Terminal Lethality Technology (轻武器终点杀伤技术国防科技重点实验 aka 瞬态冲击技术国防科技重点实验室).

The tag is: misp-galaxy:china-defence-universities="Hunan University of Science and Technology (湖南科技大学)"

Table 908. Table References
Links
https://unitracker.aspi.org.au/universities/hunan-university-of-science-and-technology

Information Engineering University (中国人民解放军信息工程大学)

IEU was formed in June 2017, combining the old Information Engineering University with the PLA Foreign Languages University. PLA experts have described IEU as ‘the sole military academy for the cyber and electronic warfare arms of China’s network-electronic forces’.The IEU is currently subordinate to the PLA Strategic Support Force’s Network Systems Department, which holds the military’s signals intelligence capabilities. Previously, the university was run by the General Staff Department Third Department (commonly known as 3PLA), the PLA’s signals intelligence service that has been incorporated into the Strategic Support Force. IEU’s command tracks include Network Engineering (网络工程), which is dedicated to the cultivation of cyber attack and defense technical cadre (网络攻防技术干部). It is responsible for the construction of the Henan Provincial Laboratory of Visible Light Communication (河南省可见光通信重点实验室).The university is primarily known for research and training on hacking, cryptography, signals processing, surveying and mapping, and navigation technology. However, since absorbing the PLA Foreign Languages University, it now serves as one of the most important language schools for Chinese military intelligence officers, describing itself as a ‘whole-military foreign languages training base for individuals going abroad’. While the PLA Foreign Languages University is best known for training signals intelligence officers, it has also trained many officers in the PLA’s political warfare wing, the Central Military Commission Political Work Department Liaison Bureau.

The tag is: misp-galaxy:china-defence-universities="Information Engineering University (中国人民解放军信息工程大学)"

Table 909. Table References
Links
https://unitracker.aspi.org.au/universities/information-engineering-university-2

Institute of NBC Defense (陆军防化学院)

The Institute of NBC Defense is the PLA’s premier institution devoted to training junior, mid-career and senior officers on technology related to defence against nuclear, biological and chemical weapons. Most scientific research tends to focus on radiation protection and nuclear safety.

The tag is: misp-galaxy:china-defence-universities="Institute of NBC Defense (陆军防化学院)"

Table 910. Table References
Links
https://unitracker.aspi.org.au/universities/institute-of-nbc-defense

Jiangnan Social University (江南社会学院)

JSU trains intelligence officers in tradecraft and carries out research on intelligence and security. The university first opened in 1986 with over 600 students and staff. Since 1999, it has run the Journal of Jiangnan Social University, which publishes research on international security, strategy and politics. Satellite and streetview imagery from Google Maps and Baidu appears to show a shooting range at the southern end of its campus.

The tag is: misp-galaxy:china-defence-universities="Jiangnan Social University (江南社会学院)"

Table 911. Table References
Links
https://unitracker.aspi.org.au/universities/jiangnan-social-university

Jiangsu University of Science and Technology (江苏科技大学)

JUST engages in high levels of defence research. With a focus on research relevant to the PLA Navy, JUST is supervised by the China State Shipbuilding Corporation and the China Shipbuilding Industry Corporation, China’s leading defence shipbuilding conglomerates. In 2002, JUST was one of eight universities jointly supervised by defence industry agency COSTIND and a provincial government. In 2016, its was the subject of an agreement between the Jiangsu Provincial Government and defence industry agency SASTIND to expand its role in defence research.JUST scientists have been involved in nuclear submarine, unmanned submersible and aircraft carrier projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.Faculties at the university involved in defence research include the School of Naval Architecture and Ocean Engineering and the School of Energy and Propulsion.

The tag is: misp-galaxy:china-defence-universities="Jiangsu University of Science and Technology (江苏科技大学)"

Table 912. Table References
Links
https://unitracker.aspi.org.au/universities/jiangsu

Jilin University (吉林大学)

JLU is directly under the administration of the Ministry of Education and came under the joint supervision of the ministry and defence industry agency SASTIND in 2016. In 2017, SASTIND designated eight fields of research at JLU as national defence disciplines, indicating the university carries out high levels of defence research. In 2012, JLU spent roughly RMB60 million (AUD12.5 million) on defence research, a number that is likely to have grown substantially.JLU’s National Defense Science and Technology Research Institute, also known as the Advanced Technology Research Institute, was established in April 2006 and is responsible for the organization and management of the university’s national defence science and technology projects. The research institute has received several certifications to conduct research for military applications. It conducts research in collaboration with the former PLA General Armaments Department, SASTIND, and state-owned defence conglomerates in the fields of aviation, aerospace, electronics, nuclear technology, and shipbuilding.JLU’s State Key Laboratory of Superhard Materials (超硬材料国家重点实验室) works closely with China’s nuclear weapons complex, the Chinese Academy of Engineering Physics (CAEP). Job advertisements for a CAEP subsidiary, the Center for High Pressure Science & Technology Advanced Research (北京高压科学研究中心) state that it has a branch within Jilin University. This suggests that CAEP may even be involved in managing the State Key Laboratory of Superhard Materials.The university hosts at least two defence research labs, located in the university’s College of Computer Science and Technology and in the College of Chemistry. Its Key Laboratory of Attack and Defense Simulation Technology for Naval Warfare, Ministry of Education (海战场攻防对抗仿真技术教育部重点实验室（B类）) is involved in cybersecurity research for the Navy. The lab’s academic committee is headed by a computer scientist from China Aerospace Science and Technology Corporation, a leading state-owned missile manufacturer.JLU holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Jilin University (吉林大学)"

Table 913. Table References
Links
https://unitracker.aspi.org.au/universities/jilin-university

Kunming University of Science and Technology (昆明理工大学)

Kunming University of Science and Technology appears to engage in low levels of defence research, but its involvement in defence research is likely to grow. In 2017, Kunming University of Science and Technology signed an agreement with Yunnan’s defence technology bureau to deepen military-civil fusion. In 2018, the Yunnan Provincial Government and defence industry agency SASTIND signed an agreement to jointly construct KMUST. The agreement is designed to increase the university’s involvement in defence research.KMUST carries out high levels of research on metallurgy. It is involved in defence research related to China’s aviation industry, and collaborates with defence shipbuilding conglomerate CSIC on vibration and noise research.

The tag is: misp-galaxy:china-defence-universities="Kunming University of Science and Technology (昆明理工大学)"

Table 914. Table References
Links
https://unitracker.aspi.org.au/universities/kunming-university-of-science-and-technology

Lanzhou University (兰州大学)

LZU’s involvement in defence research has slowly grown over the past decade. In 2018, it spent over RMB50 million (AUD10 million) on defence projects.LZU is subordinate to the Ministry of Education. Since 2018, it has also been supervised by defence industry agency SASTIND in an arrangement designed to further expand the university’s defence research and the defence industry relationships.LZU carries out national defence-related research in areas such as nuclear science, electromagnetism, probes, chemistry, mechanics, materials science, stealth technology and information technology.In 2017 and 2018, LZU signed strategic agreements with state-owned defence companies Norinco Group, China’s largest arms manufacturer, and China National Nuclear Corporation. Several defence companies, as well as China’s nuclear weapons program, provide scholarships for dozens of LZU postgraduate students each year. In return, these students must work for their sponsoring organisation for five years after graduation.In 2005, LZU received secret-level security credentials that allow it to participate in classified weapons projects.

The tag is: misp-galaxy:china-defence-universities="Lanzhou University (兰州大学)"

Table 915. Table References
Links
https://unitracker.aspi.org.au/universities/lanzhou-university

Lanzhou University of Technology (兰州理工大学)

The tag is: misp-galaxy:china-defence-universities="Lanzhou University of Technology (兰州理工大学)"

Table 916. Table References
Links
https://unitracker.aspi.org.au/universities/lanzhou-university-of-technology

Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)

The Logistics University of the People’s Armed Police Force is an institution devoted to training personnel in logistics for China’s paramilitary service, the People’s Armed Police. The university teaches subjects in applied economics, military logistics studies, paramilitary logistics, applied psychology, as well as communications and transportation engineering.The Logistics University of the People’s Armed Police Force actively collaborates with private institutions and civilian universities on scientific research. For example, the university collaborated with Nankai University (南开大学) and the Tianjin Eminent Electric Cell Material Company (天津爱敏特电池材料有限公司) on high performance lithium and sodium ion materials in 2018. The university also collaborated with the Tianjin Polytechnic University (天津工业大学) on intelligence, wearable technology that monitors heart rates for both military and civilian personnel.

The tag is: misp-galaxy:china-defence-universities="Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)"

Table 917. Table References
Links
https://unitracker.aspi.org.au/universities/logistics-university-of-the-peoples-armed-police-force

Nanchang Hangkong University (南昌航空大学)

NCHU engages in high levels of defence research relevant to the aviation industry. In 2017, the Ministry of Education designated it a ‘school with national defence education characteristics’, and 30% of graduates go to work in the defence industry or civilian aviation companies. The university has been supervised by defence industry agency SASTIND since 2010. It holds secret-level security credentials.Five fields of research at NCHU are designated ‘national defence key disciplines’: precision forming and joining technology, component quality testing and control, testing and measurement technology and instruments, optoelectric and laser technology, and military-use critical materials. The university hosts at least three laboratories focused on defence research.NCHU is particularly close to AVIC, the Chinese military’s aircraft manufacturing company. In particular, AVIC subsidiary Hongdu Aviation Industry Group (洪都航空工业集团) is based in Nanchang and has frequent exchanges with NCHU.

The tag is: misp-galaxy:china-defence-universities="Nanchang Hangkong University (南昌航空大学)"

Table 918. Table References
Links
https://unitracker.aspi.org.au/universities/nanchang-hangkong-university

Nanchang University (南昌大学)

NCU engages in low levels of defence research. It holds secret-level security credentials, allowing it to carry out classified defence research. In 2006, it established a defence research institute together with five provincial defence industry companies. Based on affiliated staff members, the institute may be focused on mechanical engineering.The university was added to the US Government Unverified List in 2018. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Nanchang University (南昌大学)"

Table 919. Table References
Links
https://unitracker.aspi.org.au/universities/nanchang-university

Nanjing Army Command College (南京陆军指挥学院)

The Nanjing Army Command College is an institute devoted to training mid-career staff officers in preparation for command the PLA Ground Force. Disciplines of focus for the college include joint campaign tactics, warfighting command, military training and combat simulations.

The tag is: misp-galaxy:china-defence-universities="Nanjing Army Command College (南京陆军指挥学院)"

Table 920. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-army-command-college

Nanjing Institute of Information Technology (南京信息技术研究院)

The tag is: misp-galaxy:china-defence-universities="Nanjing Institute of Information Technology (南京信息技术研究院)"

Table 921. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-institute-of-information-technology

Nanjing Normal University (南京师范大学)

Nanjing Normal University is a leading Chinese university supervised by the Ministry of Education and Jiangsu Provincial Government. The university has strengths in geospatial technology, big data and artificial intelligence.Nanjing Normal University has close ties to the Ministry of Public Security. In 2014, the university established the Ministry of Public Security Key Laboratory for Police Geospatial Information Technology (警用地理信息技术公安部重点实验室), which researches applications of geospatial information technology for policing purposes. Nanjing Normal University has also entered into an agreement with the Nanjing Municipal Public Security Bureau, establishing the ‘Video GIS Technology Laboratory’ (视频GIS技术实验室) in April 2012.Nanjing Normal University has a close relationship with the regional government in Xinjiang, where over 1 million Uyghurs and Kazakhs are currently held in internment camps. In 2015, the university entered into an agreement with the Xinjiang Uyghur Autonomous Government and the Jiangsu Municipal Government to support the development of Yili Normal University.

The tag is: misp-galaxy:china-defence-universities="Nanjing Normal University (南京师范大学)"

Table 922. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-normal-university

Nanjing Tech University (南京工业大学)

In 2016, NJTech came under the joint supervision of the Jiangsu Provincial Government and defence industry agency SASTIND, which is an arrangement designed to develop the university’s involvement in defense-related research and training. The university has four designated defence research areas and secret-level security credentials, allowing it to undertake classified defence technology projects.NJTech is expanding its defence research on materials science, chemistry, optical engineering and systems engineering. In 2018, the university established a Military-Civil Fusion Development Research Institute to deepen its implementation of military-civil fusion. NJTech has a Defence Industry Science Office (军工科研办公室) within its Depart of Scientific of Research. This office is responsible for the university’s defence-related research and coordination. NJTTech’s School of Materials Science and Engineering (材料科学与工程学院) has previously worked on defence-related projects.The university has international ties with universities in England that focus on electronics and semiconductors. It has also established a joint research center with Russian universities for advanced technology R&D.

The tag is: misp-galaxy:china-defence-universities="Nanjing Tech University (南京工业大学)"

Table 923. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-tech-university

Nanjing University (南京大学)

NJU is subordinate to the MOE and has also been supervised by defence industry agency SASTIND since 2012. In 2016, the university was selected as a participant in the first batch of national dual-use demonstration bases, and a year later in 2017 was selected as a Class A world-class university. NJU is home to at least two defence laboratories and has committed to deepening its involvement in military-civilian fusion. As the first university in China to establish a State Secrecy Academy, in 2009, Nanjing University is involved in cyber security research.In 2018, NJU established an Institute of Artificial Intelligence and reported its research progress to the Jiangsu Provincial Committee of Military-Civilian Fusion when they visited the university. Following the visit, the provincial committee expressed interest in deepening cooperation on MCF projects in order to promote Jiangsu’s MCF work. The Institute of AI also co-built a research center with Intel, the Intel-Nanjing University Artificial Intelligence Research Center, which is Intel’s first research center focusing on AI in China. The university’s rapidly developing AI Institute provides an opportunity for deepening its involvement in MCF R&D. In May 2018, NJU signed a strategic cooperation agreement with Megvii 旷视科技. Megvii has been blacklisted by the US government over human rights abuses.

The tag is: misp-galaxy:china-defence-universities="Nanjing University (南京大学)"

Table 924. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university

Nanjing University of Aeronautics and Astronautics (南京航空航天大学)

NUAA is one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. NUAA specialises in aerospace research and works closely with the Chinese military as well as civilian and military aviation companies, including military aircraft manufacturers AVIC and AECC. 21% of the university’s graduates in 2018 who found employment were working in the defence sector.The university claims to have participated in nearly all major national aviation projects, including the development of the Chang’e 3 unmanned lunar explorer. NUAA hosts China’s only national defence laboratory for helicopter technology.NUAA has attracted controversy for its alleged involvement in the Ministry of State Security’s efforts to steal US aviation technology.

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Aeronautics and Astronautics (南京航空航天大学)"

Table 925. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university-of-aeronautics-and-astronautics

Nanjing University of Posts and Telecommunications (南京邮电大学)

NJUPT was initially ‘one of the earliest institutions devoted to training communications personnel for the Chinese Communist Party and red army’. Since then, NJUPT has evolved from a training college to a civilian university that offers undergraduate, post-graduate and doctoral degrees in various communications and engineering disciplines.NJUPT holds secret-level security credentials, allowing it to participate in classified defence research projects.Key areas of research include at the university:

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Posts and Telecommunications (南京邮电大学)"

Table 926. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university-of-posts-and-telecommunications

Nanjing University of Science and Technology (南京理工大学)

NJUST is one of the ‘Seven Sons of National Defence’ administered by the Ministry of Industry and Information Technology. Together with Beijing Institute of Technology, it was ranked as China’s top university for armaments science in 2017. Roughly 16% of the university’s graduates in 2018 who found employment were working in the defence sector.NJUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions specialising in weapons science—the ‘B’ in ‘B8’ stands for Chinese word for armaments, bingqi (兵器). Indicative of the university’s high level of involvement in defence research, in 2013 a disused laboratory on its campus exploded, killing one, after workers disturbed a cache of explosives.NJUST has a collaborative relationship with a PLA signals intelligence research institute, involving cooperation on unmanned combat platforms and information security.

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Science and Technology (南京理工大学)"

Table 927. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university-of-science-and-technology

National Defense University (中国人民解放军国防大学)

NDU is the PLA’s ‘premier’ institution for training in military theory, strategy, operations and political work, which can have its history traced back to the era of Mao Zedong’s peasant-led red army in 1927.The university is devoted to training the PLA’s officer corps in preparation for senior leadership positions. Given this focus on the softer skills of PLA administration, the National Defense University does not have as strong a focus on hard science as its counterpart, the National University of Defense Technology.

The tag is: misp-galaxy:china-defence-universities="National Defense University (中国人民解放军国防大学)"

Table 928. Table References
Links
https://unitracker.aspi.org.au/universities/national-defense-university

National University of Defense Technology (中国人民解放军国防科技大学)

In 2017, NUDT was reformed and placed in charge of the Institute of International Relations in Nanjing, the National Defense Information Institute in Wuhan, the Xi’an Communications College, the Electrical Engineering Institute in Hefei, and the College of Meteorology and Oceanography in Nanjing. The Institute of International Relations in Nanjing is a key training centre for intelligence officers.NUDT is known for its research on supercomputers, autonomous vehicles, hypersonic missiles and China’s Beidou Navigation Satellite System. The university developed the Tianhe-2A supercomputer at the National Supercomputing Center in Guangzhou, the world’s fastest supercomputer from 2013 to 2016. NUDT’s Tianhe-1A supercomputer is based at Hunan University’s National Supercomputing Center Changsha (国家超级计算长沙中心).For over a decade, NUDT has aggressively leveraged overseas expertise and resources to build its capabilities. The Australian Strategic Policy Institute’s International Cyber Policy Centre’s October 2018 report ‘Picking flowers, making honey: The Chinese military’s collaboration with foreign universities’ documented and analysed NUDT’s overseas presence. The report found that by 2013 the university had sent over 1,600 of its professors and students to study and work abroad. Universities in the United States, the United Kingdom, Australia, Canada, Singapore, the Netherlands and Germany engage in some of the highest levels of collaboration with NUDT. Some of NUDT’s leading experts on drone swarms, hypersonic missiles, supercomputers, radars, navigation and quantum physics have been sent to study or work abroad.Defected Chinese spy Wang Liqiang claimed in 2019 that NUDT’s ‘Intelligence Center’ sent him fake passports for his mission to interfere in Taiwanese politics. This indicates that the university plays an important role in supporting China’s overseas intelligence activity.NUDT also works with foreign technology companies. Google and Microsoft have both worked with and trained NUDT scientists.

The tag is: misp-galaxy:china-defence-universities="National University of Defense Technology (中国人民解放军国防科技大学)"

Table 929. Table References
Links
https://unitracker.aspi.org.au/universities/national-university-of-defense-technology

Naval Command College (中国人民解放军海军指挥学院)

The Naval Command College is an institution that provides education and training for naval officers in a variety of disciplines such as military thought, strategic studies, intelligence training and political work along with military operations, tactics and campaigns. The college plays a crucial role in improving the quality of PLA Navy personnel, as well as providing combined arms training for mid-career political commissars, logistics officers and equipment officers. The college serves to improve strategic and tactical thinking in the PLA Navy by hosting the Naval Campaigns and Tactics Center Laboratory (海军战役战术中心实验室) and producing research that looks at operationalising new training and command systems. It is the PLA-N’s last remaining command academic institution.

The tag is: misp-galaxy:china-defence-universities="Naval Command College (中国人民解放军海军指挥学院)"

Table 930. Table References
Links
https://unitracker.aspi.org.au/universities/naval-command-college

Naval Petty Officer Academy (中国人民解放军海军士官学校)

The academy has three main departments focused on training, campus affairs and political work. It has published research on radar jamming.

The tag is: misp-galaxy:china-defence-universities="Naval Petty Officer Academy (中国人民解放军海军士官学校)"

Table 931. Table References
Links
https://unitracker.aspi.org.au/universities/naval-petty-officer-academy

Naval Research Academy (中国人民解放军海军研究院)

The Naval Research Academy was established in July 2017 following Xi Jinping’s military reforms. Main areas of study include military theory and technological research as well as the maritime environment and national defence engineering.The Naval Research Academy actively collaborates with civilian universities as part of China’s military-civil fusion program. In April 2019, delegates from the Naval Research Academy attended a meeting with officials from Xi’an Jiaotong University on co-operation directed at improving the quality assurance and technological reliability of complex armaments currently in service in the PLA Navy. Major General Li Wei from the Naval Research Academy stated that his colleagues were paying ‘very close attention to this co-operation with Xi’an Jiaotong University’ in the development and sustainment of naval equipment.The Naval Research Academy also collaborates with civilian research institutes. For example, the Institute for Industrial Military-Civil Fusion at the Research Institute of Machinery Industry Economic and Management claims to have worked with the Naval Research Academy and a number of state-owned enterprises that focus on defence technology such as China Shipbuilding Industry Corporation (CSIC) in order to develop strategies for military-civil fusion.The Naval Research Academy’s involvement in military-civil fusion is particularly notable for work on maritime information technology and equipment. In January 2019, delegates from the Naval Research Academy attended a conference hosted by the National Key Laboratory of Underwater Acoustic Science and Technology (水声技术国防科技重点实验室) and the Key Laboratory of Marine Information Acquisition and Security Industry and Information Technology (海洋信息获取与安全工业和信息化部重点实验室) of Harbin Engineering University (HEU). The Naval Research Academy’s Liu Qingyu (刘清宇) was reported to have made a presentation on international and domestic developments in marine sonar technology at the conference.Liu Qingyu from the Naval Research Academy has a particularly strong record of engagement with civilian and military institutions for his research into marine sonar technology. In 2018, Liu delivered a presentation to the Northwestern Polytechnical University (NPU) which ‘elaborated on some of the problems facing the national costal defence industry’ and ‘suggested areas for future research into marine acoustics.’ Both students and academics from NPU attended Liu’s presentation. Liu has also published papers on acoustic science with scholars from the Chinese Academy of Sciences, the Naval University of Engineering, and Northwestern Polytechnical University.

The tag is: misp-galaxy:china-defence-universities="Naval Research Academy (中国人民解放军海军研究院)"

Table 932. Table References
Links
https://unitracker.aspi.org.au/universities/naval-research-academy

Naval University of Engineering (中国人民解放军海军工程大学)

NUE is one of the PLA’s five comprehensive universities, which trains students in a variety of engineering and core military disciplines related to naval warfare.The university is home two national laboratories. The National Key Laboratory for Vessel Integrated Power System Technology (舰船综合电力技术国防科技重点实验室), which was established in 2010 to carry out ‘indigenous research and development’ into integrated electric propulsion (IEP) systems that power naval vessels at sea. IEP generally uses diesel generators and/or gas turbines to generate the electricity needed in order to turn propellers on large surface vessels such as guided missile destroyers or amphibious assault ships. The lab is jointly run by NUE and China Shipbuilding Industry Corporation’s (CSIC) 712th Research Institute.Rear Admiral Ma Weiming has led the National Key Laboratory for Vessel Integrated Power System Technology to develop propulsion systems for aircraft catapults, electromagnetic weapons and satellite launches. Admiral Ma has been referred to as ‘the father of China’s electromagnetic catapult system’ (中国电磁弹射之父) by official Chinese media sources.NUE’s National Defense Technology Key Laboratory of Marine Vibration and Noise (船舶振动噪声国防科技重点实验室) works on acoustic quieting technology for submarines. The lab is probably jointly run with CSIC’s 701st Research Institute, also known as China Ship Development and Design Center (中国舰船研究设计中心).Another laboratory that conducts defence research at NUE is the Nuclear Marine Propulsion Engineering Military Key Laboratory (舰船核动力工程军队重点实验室). The lab focuses on researching and training engineers in nuclear engineering for warships and submarines.Academic departments at the Naval University of Engineering include:

The tag is: misp-galaxy:china-defence-universities="Naval University of Engineering (中国人民解放军海军工程大学)"

Table 933. Table References
Links
https://unitracker.aspi.org.au/universities/naval-university-of-engineering

Navy Aviation University (中国人民解放军海军航空大学)

The Navy Aviation University was established upon the merger of the Naval Aviation Pilot Academy and the Naval Aviation Engineering University during Xi Jinping’s military reforms in 2017. The university conducts research into missile engineering, electrical engineering and automation, navigation engineering as well as air station management engineering and flight vehicle design engineering. Academic articles published by the university have looked at topics such as the PLA-N’s combat system capability and naval aviation management systems.

The tag is: misp-galaxy:china-defence-universities="Navy Aviation University (中国人民解放军海军航空大学)"

Table 934. Table References
Links
https://unitracker.aspi.org.au/universities/navy-aviation-university

Navy Logistics Academy (中国人民解放军海军勤务学院)

The Navy Logistics Academy is an institution devoted to training naval cadets and officers specialising in logistics. The academy’s core training and research focuses on military studies, management science and economics, while specialist lines of research include logistics command management and military financial auditing. The Center for Naval Analyses (CNA) in Arlington, Virginia have noted that entry into the academy tends to occur at the mid-career level for officers in the PLA-N.

The tag is: misp-galaxy:china-defence-universities="Navy Logistics Academy (中国人民解放军海军勤务学院)"

Table 935. Table References
Links
https://unitracker.aspi.org.au/universities/navy-logistics-academy

Navy Medical University (中国人民解放军海军军医大学)

The PLA Navy Medical University, formerly known as the Second Military Medical University, was established in 1951 as a university focussed on medical research for the Chinese military.

The tag is: misp-galaxy:china-defence-universities="Navy Medical University (中国人民解放军海军军医大学)"

Table 936. Table References
Links
https://unitracker.aspi.org.au/universities/navy-medical-university

Navy Submarine Academy (中国人民解放军海军潜艇学院)

The Navy Submarine Academy is responsible for the training of submariners to crew its conventionally and nuclear-powered submarines. The academy focuses its research on subjects such as electrical and information engineering, combat simulation, underwater acoustic engineering and navigation technology along with weapons systems and launch engineering and underwater ordnance technology. The academy also offers programs in combat tactics and the underwater combat environment.The Navy Submarine Academy pursues research that may contribute to Chinese anti-submarine warfare capabilities through the Underwater Operational Environment Military Key Laboratory (水下作战环境军队重点实验室). The academy also oversees part of the The publication record of researchers from the Navy Submarine Academy also suggests a strong interest in foreign developments in undersea warfare systems. In 2018, the Navy Submarine Academy signed a cooperative agreement with Harbin Engineering University (HEU). The agreement is directed at promoting research collaboration in subjects such as big data fusion, intelligent navigation, underwater acoustic target recognition, and underwater unmanned intelligent control systems.

The tag is: misp-galaxy:china-defence-universities="Navy Submarine Academy (中国人民解放军海军潜艇学院)"

Table 937. Table References
Links
https://unitracker.aspi.org.au/universities/navy-submarine-academy

North China Institute of Aerospace Engineering (北华航天工业学院)

NCIAE specialises aerospace technology and engineering. The university is primarily run by the Hebei Provincial Government, together with the State Administration of Science, Technology and Industry for National Defense, China Aerospace Science and Technology Corporation (CASC), and China Aerospace Science and Industry Corporation (CASIC).NCIAE appears to be a major training center for CASC and CASIC, state-owned defence conglomerates that dominate China’s missile and satellite sector. NCIAE runs at least two research and development centres with CASC and was involved in the development of the Shenzhou spacecraft, Long March rockets and the DFH-5 satellite platform.In 2003, the Hebei Provincial Government, CASC and CASIC signed an agreement to jointly support NCIAE (pictured below, courtesy of NCIAE).

The tag is: misp-galaxy:china-defence-universities="North China Institute of Aerospace Engineering (北华航天工业学院)"

Table 938. Table References
Links
https://unitracker.aspi.org.au/universities/north-china-institute-of-aerospace-engineering

North China University of Science and Technology (华北理工大学)

NCST was founded in 2010 and focuses on metallurgy and materials science. The university engages in growing levels of defence research since coming under the supervision of defence industry agency SASTIND in 2013.‘Military-use critical materials’ has been designated as a key defence research area at NCST.

The tag is: misp-galaxy:china-defence-universities="North China University of Science and Technology (华北理工大学)"

Table 939. Table References
Links
https://unitracker.aspi.org.au/universities/north-china-university-of-science-and-technology

North University of China (中北大学)

NUC is a civilian university that specailises in defence research. It is jointly administered by the Shanxi Provincial Government and defence industry agency SASTIND. The university traces its roots back to an ordnance school established by the Eighth Route Army in 1941, and defence research is central to its identity. According to NUC’s website, ‘Our university has long established excellent and cooperative relationships with Central Military Commission departments, SASTIND, Norinco Group, China South Industries Group, China Aerospace Science and Technology Group, China Aerospace Science and Industry Group, and our graduates are spread across different areas in defence industry.’ Approximately 2000 of its graduates enter the defence industry each year.NUC specialises in testing and developing weapons, including tanks, missiles and explosives. Its Underground Target Damage Technology National Defense Key Subject Laboratory reportedly runs the only underground shooting range in a Chinese university. The university is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).

The tag is: misp-galaxy:china-defence-universities="North University of China (中北大学)"

Table 940. Table References
Links
https://unitracker.aspi.org.au/universities/north-university-of-china

Northeastern University (东北大学)

NEU is a major civilian university subordinate to the Ministry of Education. The university hosts three national laboratories, all of which are related to industrial manufacturing technology.NEU engages in growing levels of defence research. It holds secret-level security credentials allowing it to participate in classified weapons projects and hosts the defence-focused Key Laboratory of Aerodynamic Equipment Vibration and Control. In 2018, NEU was approved to build a further five laboratories that could be involved in future defence or security-related research.In 2019, NEU joined the Shenyang Aircraft Design Institute Collaborative Innovation Alliance (沈阳飞机设计研究所协同创新联盟), a group of universities and institutes, led by defence conglomerate AVIC, that are involved in the development of military aircraft. NEU also runs a National Defense Science and Technology Development Research Institute (国防科技发展研究院). In 2019, the institute’s senior deputy director was awarded a China Industry-University-Research Cooperation Military-Civil Fusion Prize.

The tag is: misp-galaxy:china-defence-universities="Northeastern University (东北大学)"

Table 941. Table References
Links
https://unitracker.aspi.org.au/universities/northeastern-university

Northwest Institute of Nuclear Technology (西北核技术研究所)

NINT is one of China’s main sites of nuclear technology research. While the Chinese Academy of Engineering Physics is believed to be China’s only manufacturer of nuclear warheads, NINT likely plays a supporting role in research for nuclear weapons. It is especially active in research on lasers, which can be used in nuclear fusion reactors or weapons. Aside from nuclear technology, NINT carries out research on topics including electronics, information science, materials science, control science and chemistry.NINT has partnerships with several institutes in the Chinese Academy of Sciences, Xiangtan University, Northwestern Polytechnical University, and Xi’an Jiaotong University.

The tag is: misp-galaxy:china-defence-universities="Northwest Institute of Nuclear Technology (西北核技术研究所)"

Table 942. Table References
Links
https://unitracker.aspi.org.au/universities/northwest-institute-of-nuclear-technology

Northwestern Polytechnical University (西北工业大学)

The university is one of the ‘Seven Sons of National Defence’ subordinate to MIIT. It is heavily engaged in military research, describing itself as ‘devoted to improving and serving the national defence science and technology industry.’ NWPU’s research focuses on aviation, space and naval technology. Between 2014 and 2018, the university’s School of Mechanics, Civil Engineering and Architecture alone spent nearly RMB200 million (AUD40 million) on defence research projects. 41.25% of 2017 NWPU graduates who gained employment were working in the defence sector.NWPU is known for its development of unmanned aerial vehicles (UAVs). The only Chinese university hosting a UAV defence laboratory, NWPU produces the ASN series of UAVs though its subsidiary company, Aisheng Technology Group Co., Ltd. The Chinese military is the company’s largest customer and the company once claimed to produce 90% of China’s drones.The university has close ties to state-owned shipbuilding and aerospace conglomerates.

The tag is: misp-galaxy:china-defence-universities="Northwestern Polytechnical University (西北工业大学)"

Table 943. Table References
Links
https://unitracker.aspi.org.au/universities/northwestern-polytechnical-university

Officers College of the PAP (中国人民武装警察部队警官学院)

The Officers College of the PAP was established as an institution devoted to training officers of China’s paramilitary service in command and engineering disciplines. The college’s research focusses on combat command, command information systems engineering, philosophy, law, political education, Chinese language and literature, history, mathematics, physics, applied psychology, electrical science and technology, computer science and technology, and management science and engineering.The Officers College of the PAP is especially active in developing drone technology. On 26 June 2019, the college tested its X-Swift unmanned aerial vehicles (UAV) for a test surveillance and reconnaissance flight with special operations personnel in Sichuan.The college is also active in developing applications for drone technology. Researchers from the college have collaborated with personnel from the PLA Logistics Engineering University to publish an article in favour of deploying UAVs to southern Xinjiang for counter-terrorism missions. The researchers argue for UAVs to be deployed for regional surveillance and strike as well as search and seizure missions in Xinjiang, drawing off lessons from the US coalition against ISIS.

The tag is: misp-galaxy:china-defence-universities="Officers College of the PAP (中国人民武装警察部队警官学院)"

Table 944. Table References
Links
https://unitracker.aspi.org.au/universities/officers-college-of-the-pap

PAP NCO College (中国人民武装警察部队士官学校)

The PAP NCO College was established in 2017 following Xi Jinping’s reforms to China’s military education system. The college does not appear to engage in significant levels of defence research and focuses its attention on training enlisted personnel in China’s paramilitary service, the People’s Armed Police.

The tag is: misp-galaxy:china-defence-universities="PAP NCO College (中国人民武装警察部队士官学校)"

Table 945. Table References
Links
https://unitracker.aspi.org.au/universities/pap-nco-college

Peking University (北京大学)

PKU is considered among China’s most prestigious universities with a storied history. It is ranked as one of China’s top two academic institutions, along with Tsinghua University. Unsurprisingly, the university has been included in a number of the PRC’s educational initiatives, including as a Class A institution under the Double First-Class University program.PKU has been subject to at least two joint-supervision agreements between the Ministry of Education and defence industry agency SASTIND. These agreements, signed in 2012 and 2016, are designed to deepen the university’s involvement in defence research.PKU’s Advanced Technology Institute was founded in 2006 to oversee and develop the university’s defence research. Includes several research centres and supervises the university’s four major defence laboratories. The institute’s research covers semiconductors, nuclear technology, quantum physics, advanced materials, underwater acoustics, satellite navigation and communications, flight propulsion, aerospace engineering and microprocessors.In 2017, PKU and the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program—established the PKU–CAEP New Structure Center for Applied Physics and Technology (北京大学-中国工程物理研究院新体制应用物理与技术研究中心).. The institution was founded on the basis of the PKU Center for Applied Physics and Technology (北京大学应用物理与技术研究中心) established with CAEP in 2007. The joint centre carries out research on materials, lasers for atomic physics applications, laser plasma physics, computer science and fluid dynamics. PKU’s report on the centre notes that it will serve China’s national defence needs and that CAEP’s deputy director emphasised it should ‘take the path of military-civil fusion’. The joint centre’s honorary director and founding director, He Xiantu, is credited as the developer of China’s first neutron bomb.PKU takes precautions for the protection of classified information. The university has an office devoted to the secure handling of classified information, hosting regular meetings and training sessions to strengthen the university’s security culture. In 2006, the university received security credentials for participation in classified defence research.

The tag is: misp-galaxy:china-defence-universities="Peking University (北京大学)"

Table 946. Table References
Links
https://unitracker.aspi.org.au/universities/peking-university

People’s Armed Police Command College (中国人民武装警察指挥学院)

The PAP Command College is an institution devoted to training officers in China’s paramilitary service, the People’s Armed Police, that was established in 1984. The college’s key subjects focus on law, engineering, military studies and management studies, but most attention is devoted to paramilitary training and political work. The PAP Command College maintains a focus on paramilitary training, but it does retain a scientific research program.Drone technology is another area of interest for the PAP Command College. The college was involved in testing the X-Swift unmanned aerial vehicle (UAV) in June 2019. Kang Jian from the college’s Scientific Research Department also attended the 2017 Drone World Congress hosted in Shenzhen.

The tag is: misp-galaxy:china-defence-universities="People’s Armed Police Command College (中国人民武装警察指挥学院)"

Table 947. Table References
Links
https://unitracker.aspi.org.au/universities/peoples-armed-police-command-college

People’s Public Security University of China (中国人民公安大学)

PPSUC was founded in July 1948. In 1984, it was developed into a full-time higher education institution with master’s and bachelor’s degree programs. In 1998, it was merged with the Chinese People’s Police University (中国人民警官大学). Its schools include a Marxism School, Law School, Law and Order School, Investigation and Anti-Terrorism School, Criminology School, Pubic Security Management School, International Policing and Law Enforcement School, Police Training College (which covers combat training and command and tactical training), Criminal Science and Technology School, Information Technology and Network Security School, and a Traffic Management School.PPSUC is involved in the development of technological tools for public security applications, including image recognition. For instance, the university signed an agreement with Chinese video surveillance equipment manufacturer Hikvision in 2016 to set up a joint laboratory on video image recognition technology. In 2018, it signed a strategic cooperation agreement with Xiamen Meiya Pico Information Co., a Chinese company that provides digital forensics and information security products, which included upgrading a forensics laboratory and establishing a cyber security attack and defence laboratory.The university also has cooperation agreements with numerous local government-level public security bureaus across the PRC. These include agreements on image recognition technology for local public security bureaus and joint laboratories. For instance, in 2018 alongside the Nanshan sub-bureau of Shenzhen Public Security Bureau and the artificial intelligence companies SenseTime and Shenzhen Yuantian Lifei, it signed a strategic cooperation agreement on applying video recognition and the establishment of a joint laboratory.

The tag is: misp-galaxy:china-defence-universities="People’s Public Security University of China (中国人民公安大学)"

Table 948. Table References
Links
https://unitracker.aspi.org.au/universities/peoples-public-security-university-of-china

Railway Police College (铁道警察学院)

The Railway Police College is China’s only institution of higher learning devoted to training specialists responsible for securing the Chinese railway network. In 2017, the college graduated over 1,000 personnel trained in disciplines such as surveillance studies, political security studies and safety management studies.

The tag is: misp-galaxy:china-defence-universities="Railway Police College (铁道警察学院)"

Table 949. Table References
Links
https://unitracker.aspi.org.au/universities/railway-police-college

Renmin University (人民大学)

Renmin University is subordinate to the Ministry of Education and also supported by the Beijing Municipal Government. Its focus is in the humanities and social sciences. Although the university does not appear to have ties with the national defense industry, it was placed on the US Government’s Unverified List in April 2019, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Renmin University (人民大学)"

Table 950. Table References
Links
https://unitracker.aspi.org.au/universities/renmin-university

Rocket Force Command College (中国人民解放军火箭指挥学院)

The Rocket Force Command College is the PLA’s premier institute devoted to training cadets and early-to-mid career officers in conventional and nuclear missile campaigns. Candidates require understanding of battlefield command, management and campaign tactics prior to entry into the college. The college then builds on this knowledge by providing specialist training for missile campaigns.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Command College (中国人民解放军火箭指挥学院)"

Table 951. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-command-college

Rocket Force Research Institute (中国人民解放军火箭军研究院)

The Rocket Force Research Institute develops nuclear and conventional ballistic missiles, carrying out research on warhead, guidance and control technology. It appears to be the successor to the PLA Second Artillery Equipment Academy (火箭军装备研究院) and the Rocket Force Equipment Academy (火箭军装备研究院). The institute reportedly hosts two national-level defence laboratories. It also has a strategic cooperation agreement with Beijing Institute of Technology, which hosts two state key laboratories that study impacts and explosions.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Research Institute (中国人民解放军火箭军研究院)"

Table 952. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-research-institute

Rocket Force Sergeant School (中国人民解放军火箭军士官学校)

The Rocket Force Officer College is an institution devoted to training military personnel for China’s tactical and strategic missile forces that was established after Xi Jinping’s military reforms in 2017. The college’s focus is on providing technical training to personnel in the PLARF’s missile systems. However, the college has also produced research on underground engineering which would be useful to hardening bases for missile strikes.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Sergeant School (中国人民解放军火箭军士官学校)"

Table 953. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-sergeant-school

Rocket Force University of Engineering (中国人民解放军火箭军工程大学)

RFUE is the PLA strategic missile force’s leading institution for training technical and scientific talent. Students entering the university tend to be university graduates and career members of the PLA Rocket Force.Defence research conducted by the RFUE focuses on building resilience and capabilities for conventional and nuclear missile strikes. RFUE hosts the Missile Testing and Control Virtual Simulation Experimental Teaching Center (导弹测试与控制虚拟仿真实验教学中心).The university’s key areas of research include:

The tag is: misp-galaxy:china-defence-universities="Rocket Force University of Engineering (中国人民解放军火箭军工程大学)"

Table 954. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-university-of-engineering

Shandong University (山东大学)

SDU is subordinate to the Ministry of Education. Since 2016, it has also been supervised by defence industry agency SASTIND as part of a program to expand universities’ involvement in defence research and training.SDU has pursued greater involvement in defence research since at least 2006, when it established a national defence research institute to coordinate relevant work across the university. Shortly afterwards, it received secret-level security credentials allowing it to participate and research and production for classified weapons and defence technology projects. In 2008, it was recognised as one of Shandong Province’s 10 outstanding defence industry units.SDU collaborates with the Chinese Academy of Engineering Physics, China’s nuclear warheads development facility, on topics including the development of crystals that are used in the study of nuclear explosions and research on fusion ignition.

The tag is: misp-galaxy:china-defence-universities="Shandong University (山东大学)"

Table 955. Table References
Links
https://unitracker.aspi.org.au/universities/shandong-university

Shandong University of Technology (山东理工大学)

SDUT specialises in engineering and carries out growing levels of defence research. In 2018, SDUT became the only university in Shandong Province jointly supervised by defence industry agency SASTIND besides Shandong University. This indicates that SDUT’s involvement in defence research and links to the defence industry will grow in coming years.SASTIND has specifically indicated its intention to build up advanced materials and advanced manufacturing technology as areas of defence research at SDUT. SDUT has carried out research on mechatronic engineering for the defence industry, and developed a non-destructive testing system for ceramic antenna covers on missiles.

The tag is: misp-galaxy:china-defence-universities="Shandong University of Technology (山东理工大学)"

Table 956. Table References
Links
https://unitracker.aspi.org.au/universities/shandong-university-of-technology

Shanghai Jiao Tong University (上海交通大学)

SJTU is directly under the administration of the MOE. In 2016 it also came under the supervision of defence industry agency SASTIND as part of a ‘joint construction’ agreement between the MOE and SASTIND.The university has at least three laboratories focused on defense research relating to materials science, ships and hydrodynamics. The defence labs have established substantial collaborative research and talent development relationships with hydrodynamics research groups at universities including MIT, Cornell, and the Danish Technical University.One of the university’s strongest departments is computer science. Its computer science program has garnered support from American tech companies such as Cisco Systems and Microsoft, which collaborated on establishing a laboratory for intelligent computing and intelligent systems at the university. In particular, the School of Information Security Engineering, has ties to the PLA through its dean and chief professor who both previously worked for the PLA. SJTU also has ties to the PLA Unit 61398, a cyber espionage unit that has been implicated in cyber attacks on the United States.SJTU is also known for its involvement in maritime research. The School of Naval Architecture, Ocean & Civil Engineering cooperates extensively with other universities from around the world as well as with many domestic industrial enterprises, such as defence conglomerate CSIC and CASC. The school is the lead unit of the High-tech Ship and Deep-Sea Development Equipment Collaborative Innovation Center (高新船舶与深海开发装备协同创新中心), where it has contributed to assisting the PLA Navy’s transition to offshore defense operations.

The tag is: misp-galaxy:china-defence-universities="Shanghai Jiao Tong University (上海交通大学)"

Table 957. Table References
Links
https://unitracker.aspi.org.au/universities/shanghai-jiaotong-university

Shanghai University (上海大学)

SHU is engaged in growing levels of defence research. In 2016, the Shanghai Municipal Government and defence industry agency SASTIND agreed to jointly supervise and support its participation in defence research.Shanghai University has begun building up its capability in defence research in areas such as unmanned surface vehicles, materials for missiles, and microwave technology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.Shanghai University’s Research Institute of Unmanned Surface Vehicle Engineering researches and produces unmanned surface vessels, some of which are for the China Maritime Safety Administration.

The tag is: misp-galaxy:china-defence-universities="Shanghai University (上海大学)"

Table 958. Table References
Links
https://unitracker.aspi.org.au/universities/shanghai-university

Shenyang Aerospace University (沈阳航空航天大学)

SAU is the only university formally under the supervision of China’s military aircraft manufacturer, AVIC. SAU engages in high levels of defence research and describes itself as a base for training talent in national defence science and technology. Serving China’s military aviation industry is what SAU refers to as its ‘glorious tradition’.Many of China’s military aircraft are designed and built in Shenyang, which is home to AVIC subsidiaries Shenyang Aircraft Design Institute and Shenyang Aircraft Corporation. SAU and AVIC work closely together, including through a joint research institute.

The tag is: misp-galaxy:china-defence-universities="Shenyang Aerospace University (沈阳航空航天大学)"

Table 959. Table References
Links
https://unitracker.aspi.org.au/universities/shenyang-aerospace-university

Shenyang Ligong University (沈阳理工大学)

SYLU is a civilian university that specialises in defence research. The university’s primary areas of defence research are armament science, information and communications engineering, control science, materials science and mechanical engineering. Apart from Xi’an Technological University, SYLU is the only Chinese civilian university supervised by state-owned arms manufacturers Norinco Group and China South Industries Group. In 2016, it also came under the supervision of defence industry agency SASTIND.SYLU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). The university runs a weapons museum on its campus. Furthermore, SYLU is a member of the Liaoning Military-Civil Fusion Arms Industry-College Alliance (辽宁军民融合（兵工）产业校企联盟) and SYLU’s president doubles as chairman of the alliance. This indicates close ties between SYLU and China’s arms industry.

The tag is: misp-galaxy:china-defence-universities="Shenyang Ligong University (沈阳理工大学)"

Table 960. Table References
Links
https://unitracker.aspi.org.au/universities/shenyang-ligong-university

Shenzhen University (深圳大学)

SZU is the primary university in China’s rapidly growing technology hub, Shenzhen. The university does not appear to engage in high levels of defence research outside of its national defence laboratory on automatic target recognition. The laboratory was founded in 2001, is overseen by the PLA and SASTIND, and is headed by the university’s former president.

The tag is: misp-galaxy:china-defence-universities="Shenzhen University (深圳大学)"

Table 961. Table References
Links
https://unitracker.aspi.org.au/universities/shenzhen-university

Shijiazhuang Tiedao University (石家庄铁道大学)

STDU specializes in transportation science, engineering and information technology. Its predecessor was the PLA Railway Engineering College.Since 2013, STDU has also been supervised by defence industry agency SASTIND through an arrangement designed to expand the university’s involvement in defense-related research and training. STDU has secret-level security credentials, allowing it to participate in classified defense technology research.STDU is home to the National Defense Transportation Research Institute (国防交通研究所), which is the only civilian university research institute that specializes in national defense transportation research. STDU is also home to the Institute of Complex Networks and Visualisations (复杂网络与可视化研究所), which develops military-use information processing software including remote-control systems for aerospace applications.

The tag is: misp-galaxy:china-defence-universities="Shijiazhuang Tiedao University (石家庄铁道大学)"

Table 962. Table References
Links
https://unitracker.aspi.org.au/universities/shijiazhuang-tiedao-university

Sichuan University (四川大学)

Sichuan University (SCU) is a leading Chinese university subordinate to the Ministry of Education. In 2011 and again in 2016 SCU was the subject of joint construction agreements between the MOE and defence industry agency SASTIND designed to increase its involvement in defence research.The university hosts at least three laboratories that focus on defence research and has a close relationship with the Chinese Academy of Engineering Physics (CAEP), the PRC’s primary nuclear warheads research facility. SCU’s Institute of Atomic and Molecular Physics and CAEP jointly established the Institute of Atomic and Molecular Engineering and the Institute of High Temperature and High Pressure Physics. In 2012, SCU was added to the US BIS Entity List as an alias of CAEP, implying that it acts as a proxy for the facility.A 2011 study by American think tank Project 2049 concluded that a PLA signals intelligence unit ‘likely maintain a close, mutually supportive relationship with related organizations in Chengdu, such as Sichuan University’s Information Security and Network Attack and Defense Laboratory (四川大学信息安全及网络攻防研究室).’

The tag is: misp-galaxy:china-defence-universities="Sichuan University (四川大学)"

Table 963. Table References
Links
https://unitracker.aspi.org.au/universities/sichuan-university

Soochow University (苏州大学)

Soochow University has been jointly supervised by the Jiangsu Provincial Government and defence industry agency SASTIND since 2016. This arrangement is designed to expand the university’s involvement in defense-related research and training.The university has five designated defence disciplines, centred around research on radiation. In particular, its School of Radiation Medicine and Protection has strong defence links, as it has become a major teaching and research base for the nuclear industry.Suzhou University is also involved in promoting military-civil fusion. The university cooperated with Changfeng Science Technology Industry Group (a subsidiary of missile manufacturer CASC) and Suzhou Xinkuan Electronic Technology Co., Ltd. to jointly establish the ‘Suzhou University Military-Civil Fusion Internet of Things Collaborative Innovation Center.’

The tag is: misp-galaxy:china-defence-universities="Soochow University (苏州大学)"

Table 964. Table References
Links
https://unitracker.aspi.org.au/universities/soochow-university

South China University of Technology (华南理工大学)

SCUT is subordinate to the Ministry of Education and in 2018 was placed under a joint-construction agreement between the MOE and SASTIND. This arrangement is designed to develop the university’s involvement in defence-related research and training. SCUT also holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects. As a result of the university’s placement under joint construction and its secret-level security credentials, SCUT’s involvement in defence research is likely to grow in coming years.Since 2008, the university has hosted a defence research laboratory on materials science. The lab was initially run by the university’s president. In 2017, the university joined the Guangzhou Civil-Military Integration Industry Coalition. More recently in 2019, SCUT and iFlytek established an artificial intelligence company, Guangzhou Huanan Naokong Zhineng Keji Gongsi (广州华南脑控智能科技公司).

The tag is: misp-galaxy:china-defence-universities="South China University of Technology (华南理工大学)"

Table 965. Table References
Links
https://unitracker.aspi.org.au/universities/south-china-university-of-technology

Southeast University (东南大学)

SEU is a leading Chinese university that engages in high levels of defence research. In 2015, the university undertook RMB180m (AUD37m) of defence research projects, placing it among the Ministry of Education universities most involved in defence research. That figure has almost certainly grown since 2016, when SEU came under a ‘joint construction’ agreement between the Ministry of Education and defence industry agency SASTIND. The university has secret security credentials, enabling it to participate in secret defence projects.The university has also been linked to cyberespionage. Researchers at its School of Cyber Science and Engineering (网络空间安全学院) have been funded by the MSS, China’s civilian intelligence agency. The School of Cyber Science and Engineering has close ties to TopSec, a Chinese information security company that trains, recruits and works with PLA cyber security officers.SEU states that its defence research relies on its excellence in electronics. It has at least two laboratories that specialise in defence research on navigation technology and underwater acoustics. Both laboratories may be involved in developing technology for underwater warfare. Representatives from the PLA Navy’s Submarine Academy visited SEU in 2017.SEU has also built relationships with state-owned defence conglomerates. In 2017, the university signed a strategic cooperation agreement with missile-manufacturer China Aerospace Science and Industry Corporation. In 2018 and 2019, it signed similar agreements with subsidiaries of China Electronics Technology Group Corporation, China’s leading manufacturer of military electronics.

The tag is: misp-galaxy:china-defence-universities="Southeast University (东南大学)"

Table 966. Table References
Links
https://unitracker.aspi.org.au/universities/southeast-university

Southwest University of Science and Technology (西南科技大学)

SWUST is deeply engaged in defence research and is based in Mianyang, a city also home to China’s nuclear weapons program and many other parts of the defence industry. Since 2006, the university has been subject to several joint construction agreements between the Sichuan Provincial Government and SASTIND that are designed to increase its involvement in defence research.SWUST carries out defence-related research on nuclear waste, radiation protection and electronic information engineering. It holds secret-level security credentials, allowing it to undertake classified defence technology and weapons projects. The university’s main defence laboratory carries out research on topics such as the use of microorganisms to clean nuclear waste.SWUST has worked closely with the Chinese Academy of Engineering Physics (China’s nuclear warheads program), China Aerodynamics Research and Development Center (a PLA base specialising in aircraft design), and defence conglomerates since its establishment. The fact that the university hosts the province’s ‘Civil-military Integration Institute’ is a testament to its integration with the military and defence industry.

The tag is: misp-galaxy:china-defence-universities="Southwest University of Science and Technology (西南科技大学)"

Table 967. Table References
Links
https://unitracker.aspi.org.au/universities/southwest-university-of-science-and-technology

Space Engineering University (中国人民解放军战略支援部队航天工程大学)

SEU was established in June 2017 as an expansion of the former PLA Equipment Academy (装备学院). SEU describes itself as a ‘comprehensive university that trains talents for space command management and engineering.’ It is intended to serve as the ‘cradle of the new PLA’s space talent training.’ The SEU is subordinate to and supports the PLA Strategic Support Force’s Space Systems Department (航天系统部), which has taken over the space and potentially counterspace capabilities that were previously the purview of the former General Armaments Department and, to a lesser degree, the former General Staff Department.The SEU offers degree programs at the undergraduate, master’s, and doctoral levels, as well as programs for non-commissioned officers, across disciplines including space target surveillance, remote sensing science and technology, and aerospace information security. Its faculty include nine CMC Science and Technology Commission experts and twenty professors who are designated as expert defence science and technology advisors.Beyond its mission of talent cultivation, the SEU also engages in extensive research. In particular, the SEU has a total of eighteen laboratories, which include two national-level key laboratories and one military-level key laboratory.

The tag is: misp-galaxy:china-defence-universities="Space Engineering University (中国人民解放军战略支援部队航天工程大学)"

Table 968. Table References
Links
https://unitracker.aspi.org.au/universities/space-engineering-university

Special Police Academy (中国武装警察部队特种警察学院)

SPA is made up of departments for training, political work and logistics. As such, SPA engages in little defence research and focusses its activities on training special operations paramilitary troops in command processes.

The tag is: misp-galaxy:china-defence-universities="Special Police Academy (中国武装警察部队特种警察学院)"

Table 969. Table References
Links
https://unitracker.aspi.org.au/universities/special-police-academy

Sun Yat-sen University (中山大学)

SYSU is a leading Chinese university subordinate to the Ministry of Education. In 2018, it come under the joint supervision of MOE and defence industry agency SASTIND. This development indicates that SYSU’s involvement in the defence industry and defence research is growing.The university has a large defence research budget. In 2018, it spent nearly RMB200 million (AUD41 million) on defence research out of its total research budget of RMB3.1 billion (AUD640 million).SYSU is linked to the Chinese military through its National Supercomputer Center in Guangzhou (国家超级计算广州中心), which was placed on the US Government Entity List in 2015 for its role in nuclear weapons development. The centre was jointly established with the PLA National University of Defense Technology in 2011 to host the Tianhe-2 supercomputer. The supercomputer is operated by the National University of Defense Technology and was the world’s fastest from 2013 to 2015.Aside from the supercomputer center, SYSU’s Key Laboratory of Information Science is the only known lab focused on defence research and is located within the School of Electronics and Information Technology.In 2010, the university established a State Secrets Academy (国家保密学院), serving as the third university in China to establish such an institute in partnership with China’s National Administration of State Secrets Protection (国家保密局). The Institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Sun Yat-sen University (中山大学)"

Table 970. Table References
Links
https://unitracker.aspi.org.au/universities/sun-yat-sen-university

Tianjin Polytechnic University (天津工业大学)

TJPU is known for its research in the field of textile science and engineering. It is jointly supervised by the Ministry of Education and the city of Tianjin. In 2018, defence industry agency SASTIND and the Tianjin Municipal Government signed an agreement to jointly support TJPU. The purpose of the agreement is to support the university’s development of defence disciplines, construction of defence laboratories, and training of defence scientists. Through this arrangement, SASTIND involves universities in military research projects and supports collaboration between universities and the defence industry. The university also holds secret-level security credentials that allow it to participate in classified defence technology projects.Tianjin Polytechnic University hosts one state key lab and two MOE key labs. One of the MOE key labs and the state key lab are located within the School of Material Science and Engineering. Additionally, TJPU’s School of Textile Science and Engineering has conducted R&D that has been applied to industries in aerospace, defense, transportation, civil engineering, among others. The School of Textile Science and Engineering has reportedly become a backbone of research and innovation for China’s textile industry.

The tag is: misp-galaxy:china-defence-universities="Tianjin Polytechnic University (天津工业大学)"

Table 971. Table References
Links
https://unitracker.aspi.org.au/universities/tianjin-polytechnic-university

Tianjin University (天津大学)

TJU is under the administration of the Ministry of Education and has also been supervised by defence industry agency SASTIND since 2012. The university has second-class security credentials, allowing it to participate in classified research projects at the level of ‘secret’. It hosts two defence laboratories, working on optoelectronics and propellants.In 2015, A professor at Tianjin University was arrested by U.S. federal agents and accused of economic espionage and technology theft. He had been a professor in the School of Precision Instrument and Opto-electronics Engineering, which is home to one of the MOE labs involved in defense research. TJU is also a member of several international engineering alliances and has one National Defense Technology Innovation Team.TJU carries out research for the Ministry of State Security (MSS), China’s civilian intelligence agency. It has hosted at least one MSS researcher and its scientists have been awarded for their work for the MSS on communication and information engineering.

The tag is: misp-galaxy:china-defence-universities="Tianjin University (天津大学)"

Table 972. Table References
Links
https://unitracker.aspi.org.au/universities/tianjin-university

Tongji University (同济大学)

Tongji University recognized for its work in architecture, civil engineering, marine geology, and transportation engineering. The university established the only state key laboratory of deep-sea geology, which plays an important role in China’s deep-sea observation and serves as a significant platform for the country’s marine strategy.The university’s involvement in marine research likely stems from its joint construction with the State Oceanic Administration (SOA). In 2010, the Ministry of Education and the State Oceanic Administration signed to jointly establish 17 universities, a collaboration aimed at enhancing the ability to cultivate marine talents in universities, develop marine science and technology, and make contributions to the development of China’s marine industry.Tongji University has secret-level security credentials and is home to one Ministry of Education laboratory dedicated to defense research. In April 2019, the university was placed on the U.S. Unverified List, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Tongji University (同济大学)"

Table 973. Table References
Links
https://unitracker.aspi.org.au/universities/tongji-university

Tsinghua University (清华大学)

Tsinghua University is considered China’s leading university in science and technology. Often characterized as ‘China’s MIT,’ Tsinghua is highly ranked globally, while also being the alma mater of numerous Chinese leaders, including Xi Jinping. Tsinghua has been included in numerous Chinese educational initiatives, including acting as a Class A institution in the Double First-Class University Plan and with membership in China’s C9 League. As of spring 2018, Tsinghua University had 390 research institutions operating across a range of fields.Tsinghua engages in a range of military research and was awarded secret-level security credentials for classified research in 2007. In advancing military-civil fusion, Tsinghua also continues its ‘fine tradition’ of serving China’s national security and defense, actively creating new platforms and initiatives to support this strategy. Not only its dedicated defence laboratories but also a range of key laboratories and research institutions at the university have received funding from the military. Since at least 2012, Tsinghua has also been jointly supervised by defence industry agency SASTIND as part of a program to deepen its defence research and links to the defence sector.Tsinghua’s defence research covers areas such as artificial intelligence, air-to-air missiles, navigation technology, instrument science and materials science.The university trains students for China’s nuclear weapons program, military and defence industry. In 2014 it signed a strategic cooperation agreement with the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program. In 2016, CAEP’s Materials Institute and Tsinghua established a joint postgraduate training base for teaching, research collaboration and equipment sharing.Approximately 200 postgraduate students at Tsinghua are sponsored by CAEP or defence industry conglomerates each year through the Chinese government’s National Defence Science and Technology Scholarship program. Scholarship recipients are required to work for their sponsoring organisation for five years after graduating. Roughly 2000 of the scholarships are awarded each year, indicating that Tsinghua students are among the primary recipients of them. Documents published by Tsinghua indicate that CAEP planned to sponsor 40 PhD students to study nuclear technology in 2013. CAEP continues to sponsor Tsinghua postgraduates. In 2004, Tsinghua agreed to supervise doctoral students from the PLA’s Second Artillery Engineering University, now known as the Rocket Force University of Engineering.

The tag is: misp-galaxy:china-defence-universities="Tsinghua University (清华大学)"

Table 974. Table References
Links
https://unitracker.aspi.org.au/universities/tsinghua-university

University of Electronic Science and Technology of China (电子科技大学)

UESTC was established in 1961 as one of China’s first defence industry universities. It is now subordinate to the Ministry of Education (MOE) and is also jointly supervised by defence industry agencies MIIT and SASTIND, as well as the Chinese military’s leading electronics manufacturer, China Electronics Technology Group Corporation (CETC).The university is one of China’s leading universities for defence electronics research. It claims to rank among the top MOE universities in terms of the scale of its defence research. Between 2011 and 2015, its annual spending on defence research grew by 210% to RMB400 million (AUD80 million) and may account for as much as 32% of its overall research spending. 16.43% of UESTC graduates in 2017 who found employment were working in the defence sector. UESTC gained secret-level security credentials about a decade ago, probably in 2006, making it one of the first MOE universities to hold them.UESTC research has been used by state-owned manufacturers of military aircraft, missiles, and military electronics and the PLA Navy on projects such as the JF-17 fighter and the Navy’s aircraft carrier program.UESTC’s defence research covers areas including electronics, microwaves, terahertz technology, anti-jamming technology and signal processing, communication systems, military-use critical materials, optoelectric imaging. Between 2001 and 2005, UESTC undertook over 900 military electronics projects worth in excess of RMB500 million (AUD104 million).UESTC’s research on artificial intelligence has attracted scrutiny for its human rights implications. In 2015, a professor recruited by UESTC through the Thousand Talents Plan established a company called Koala AI. The company produces artificial intelligence surveillance systems that are used in Xinjiang, where an estimated 1.5 million Uyghurs and other ethnic minorities have disappeared into concentration camps.UESTC has close relationships with the Chinese defence industry. The university operates a national laboratory on high-power radiation with the Chinese Academy of Engineering Physics, the PRC’s primary nuclear warhead research complex. CETC, a state-owned defence conglomerate, partnered jointly with the MOE to developUESTC’s capabilities. Under the arrangement, UESTC agreed to expand its collaboration with CETC, help train CETC personnel and send its best students to work at CETC. Defence industry agency SASTIND also signed agreements to supervise UESTC in 2008 and 2016.

The tag is: misp-galaxy:china-defence-universities="University of Electronic Science and Technology of China (电子科技大学)"

Table 975. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-electronic-science-and-technology-of-china

University of International Relations (国际关系学院)

UIR claims was established in 1949 under the direction of then Premier Zhou Enlai. In 1964 it was designated as a ‘national key university’, and this appears to be the evidence it uses to claim it is a Ministry of Education university. However, the university does not appear on the Ministry of Education’s list of subordinate universities.Individuals formerly and presently affiliated with the university have also held affiliations with the MSS or the MSS-linked think tank the China Institutes of Contemporary International Relations (中国现代国际关系研究院). They include Geng Huichang (耿惠昌), a former Minister of State Security (2007-2016) and vice minister of State Security (1998-2007). Prior to this he was the head of China Institutes of Contemporary International Relations from 1992 to 1998. From 1990 to 1992, he was the director of UIR’s American Research Department and from 1985-1990 he was deputy director of the American Research department. Notably, current UIR President Tao Jian is also a former CICIR vice-president and a UIR graduate.UIR gives the MSS a way to work with foreign universities and academics to shape and learn about perceptions of the PRC’s views on security. It also provides a platform for the MSS to identify talent, recruit officers and collect intelligence.The university’s Hangzhou campus, also known as the Zhejiang Second People’s Police School, may carry out more practical training of MSS officers and has been described on a local government website as ‘specialising in training special talent’. Some graduates of the Hangzhou campus have moved straight into MSS positions. The Hangzhou campus works closely with Zhejiang University on teaching and research.

The tag is: misp-galaxy:china-defence-universities="University of International Relations (国际关系学院)"

Table 976. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-international-relations

University of Science and Technology Beijing (北京科技大学)

USTC is a leading university subordinate to the MOE. The university engages in high levels of defence research and claims be among the top MOE universities for defence spending. Since 2018, it has been under a joint-construction agreement between the MOE and defence industry agency SASTIND that is designed to expand its involvement in defence research.USTB is known as the ‘cradle of steel’ for its training and research on metallurgy. The university’s defence research appears to focus on metallurgy and materials science. It hosts at least three laboratories dedicated to defence research, including two that are jointly run with state-owned defence conglomerates. The head of USTB’s Institute of Advanced Materials and Technology also heads a SASTIND-supported defence science and technology innovation team.The university holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="University of Science and Technology Beijing (北京科技大学)"

Table 977. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-science-and-technology-beijing

University of Science and Technology of China (中国科学技术大学)

The University of Science and Technology of China is among China’s most prestigious universities in science and technology. Uniquely, it was established and is supervised by the Chinese Academy of Sciences, intended to serve national objectives in science and technology. Xi Jinping personally inspected USTC in 2016, urging it to pursue “even more outstanding achievements in teaching and innovation.” It is a member of the C9 League and in the “211 Project” and “985 Project.” While providing undergraduate and graduate-level education, USTC is also highly active in research across a number of major laboratories, including several that support research that is related to national defense and the development of dual-use technologies, such as brain-inspired approaches to artificial intelligence and quantum information science. USTC has a long history of contributions to science in the service of the state, and it has recently sought to deepen its contributions to military research, including through establishing a new center for military-civil fusion. Several USTC professors, including prominently Pan Jianwei, have partnered with the defense industry to pursue military applications of their technologies.

The tag is: misp-galaxy:china-defence-universities="University of Science and Technology of China (中国科学技术大学)"

Table 978. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-science-and-technology-of-china

University of Shanghai for Science and Technology (上海理工大学)

USST describes itself as a ‘university with defence characteristics’. It has been under the joint supervision of Shanghai and defence industry agency SASTIND since 2016.It is engaged in growing levels of defence research and holds second-class weapons research and development secrecy credentials, allowing it to undertake classified projects. In 2017, its spending on defence research reached RMB13 million (AUD2.6 million).SASTIND has designated areas with the fields of optics, energy and control science as defence disciplines at USST, indicating that the university’s defence research focuses on these areas.In 2017, The university established a joint venture on terahertz radiation technology with subsidiaries of defence conglomerate Norinco Group.

The tag is: misp-galaxy:china-defence-universities="University of Shanghai for Science and Technology (上海理工大学)"

Table 979. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-shanghai-for-science-and-technology

University of South China (南华大学)

USC specialises in nuclear engineering. It has a well-developed defence research program and has been the subject of several joint-construction agreements between the Hunan Provincial Government and defence industry agency SASTIND since 2002. These agreements are designed to ‘support USC in going a step further to display its defence characteristics based on the development needs of the defence technology industry.’ USC is also supervised by China National Nuclear Corporation, a state-owned defence nuclear engineering conglomerate.USC carries out large amounts of defence research related to nuclear engineering, as well as work on information technology, communications engineering, control engineering and electrical engineering. The university received secret level security credentials in 2008, allowing it to work on classified defence projects.

The tag is: misp-galaxy:china-defence-universities="University of South China (南华大学)"

Table 980. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-south-china

Wuhan University (武汉大学)

WHU is a leading Chinese university subordinate to the Ministry of Education. The university has close ties to the military and has been subject to a joint-supervision agreement between the Ministry of Education and defence industry agency SASTIND since 2016, an arrangement designed to increase its involvement in defence research. In 2015, WHU planned to spend RMB200 million (AUD42 million) on defence research for the year and described itself as ‘a university with a strong reputation in the defence science and technology field’.WHU carries out defence research in a wide range of fields, including navigation, computer simulation, electronic information, electromagnetics, aerospace remote sensing, materials science, cyber security and explosions. The university is an important site of research for China’s Beidou satellite navigation system.Aside from being involved in defence research, there are strong indications that WHU has carried out cyber attacks for the People’s Liberation Army. One of the university’s two defence laboratories purportedly established by the Ministry of Education, the Key Laboratory of Aerospace Information Security and Trusted Computing, has been accused by unnamed US and Taiwanese officials of carrying out cyberattacks.

The tag is: misp-galaxy:china-defence-universities="Wuhan University (武汉大学)"

Table 981. Table References
Links
https://unitracker.aspi.org.au/universities/wuhan-university

Wuhan University of Technology (武汉理工大学)

WHUT is subordinate to the Ministry of Education. The university originally specialised in research relating to construction, transport and automobiles. It engages in high levels of defence research and has been under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND since 2016. It holds secret-level security credentials.The university hosts two Ministry of Education laboratories dedicated to defence research on materials science and ship technology. WHUT also works closely with the PLA Air Force on defensive engineering such as the construction of aircraft bunkers and underground shelters. Since 2001, WHUT and the Guangdong Military Region Air Force Engineering and Construction Bureau have run a joint research institute, which ‘takes advantage of [WHUT’s] State Key Laboratory of Advanced Technology for Materials Synthesis and Processing’. ‘In 2012, the PLA Air Force Logistics Department and WHUT held a signing ceremony inaugurating the “Air Force-level Military-Civil Fusion Air Defence Engineering Construction Technology Innovation Platform Cooperation Agreement” (空军级军民融合式空防工程建设科技创新平台合作协议)’. The same department in cooperation with WHUT also jointly established the Air Force Air Defence Engineering Construction Technology Innovation Platform (空军级空防工程建设科技创新平台), with ‘the goal of innovating mutually beneficial technologies.’

The tag is: misp-galaxy:china-defence-universities="Wuhan University of Technology (武汉理工大学)"

Table 982. Table References
Links
https://unitracker.aspi.org.au/universities/wuhan-university-of-technology

Xi’an Jiaotong University (西安交通大学)

XJTU is subordinate to the Ministry of Education. It is also supervised by SASTIND as part of a program to develop defense research capabilities within Chinese universities. The university describes its strategy as being ‘based in Shaanxi, geared toward the needs of the nation, and serving the national defense industry.’The university is advanced in its implementation of military-civil fusion and has established strategic partnerships with China Aerospace Science and Technology Corporation, China Aerospace Science and Industry Corporation, and the Aero Engine Corporation of China. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Xi’an Jiaotong University (西安交通大学)"

Table 983. Table References
Links
https://unitracker.aspi.org.au/universities/xian-jiaotong-university

Xi’an Technological University (西安工业大学)

XATU is a civilian university that primarily engages in defence research. XATU describes itself as ‘having distinct defence-industrial characteristics’ and is heavily involved in weapons development. Since 2016, it has been subject to a ‘joint construction’ agreement between the Shaanxi Provincial Government and defence industry agency SASTIND designed to deepen its defence links.The university’s main areas of defence research include photoelectric imaging technology, manufacturing technology, materials science, detection and measurement technology and weapons systems. It holds secret-level security credentials.XATU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). Apart from Shenyang Ligong University, XATU is the only Chinese civilian university known to be supervised by state-owned arms manufacturers China North Industries Group (Norinco Group) and China South Industries Group.

The tag is: misp-galaxy:china-defence-universities="Xi’an Technological University (西安工业大学)"

Table 984. Table References
Links
https://unitracker.aspi.org.au/universities/xian-technological-university

Xi’an University of Posts and Telecommunications (西安邮电大学)

XUPT is a leading Chinese university supervised by the Shaanxi Provincial Government and the Department of Information Technology. The university was established in 1959 as an institution focused on communications and information technology. XUPT retains a focus on these discipline to this day. XUPT’s faculties include college focusing on artificial intelligence, automation, cyber security and electrical engineering.XUPT maintains close links to China’s Ministry of Public Security (MPS). The university has signed agreements and established joint laboratories with the MPS’s local counterparts.In November 2013, XUPT partnered with the Shaanxi Municipal Government’s public security ministry to establish the MPS Key Laboratory of Electronic Information Application Technology for Scene Investigation (公安部电子信息现场勘验应用技术重点实验室). This was the first such joint laboratory that the MPS established with a university in any of China’s five north-western provinces.XUPT partnered with Xi’an’s Yanta District Public Security Bureau branch in November 2018, establishing the ‘Joint Laboratory for Smart Public Security Information Analysis and Applications’ (公安信息智能分析及应用联合实验室). The joint laboratory develops applications of artificial intelligence for analysing criminal information.

The tag is: misp-galaxy:china-defence-universities="Xi’an University of Posts and Telecommunications (西安邮电大学)"

Table 985. Table References
Links
https://unitracker.aspi.org.au/universities/xian-university-of-posts-and-telecommunications

Xiamen University (厦门大学)

XMU is one of China’s leading universities, but it does not appear to engage in high levels of defence research. However, in 2018 it came under a joint supevision agreement between the Ministry of Education, the Fujian Provincial Government and defence industry agency SASTIND that indicates XMU will expand its involvement in defence research. The arrangement is designed to ‘upgrade the university’s ability to innovate defence science and technology and actively integrate itself with the development of military-civil fusion.’In 2017, XMU allegedly conspired with Huawei to steal trade secrets from CNEX Labs Inc., an American semiconductor startup. CNEX claims that Huawei and XMU engaged in a multiyear conspiracy to steal the company’s solid-state drive computer storage technology.The university appears to be involved in the development of military-use heavy-duty coatings. In 2017, XMU, Fujian Normal University, Fujian Liheng Paint Co. Ltd. (福建立恒涂料有限公司) and People’s Liberation Army Unit 63983 jointly established the Haixi Liheng New Materials Research Institute (海西立恒新材料研究院). Fujian Liheng Paint specialises in heavy-duty coatings for warships and holds confidential-level security credentials, allowing it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Xiamen University (厦门大学)"

Table 986. Table References
Links
https://unitracker.aspi.org.au/universities/xiamen-university

Xiangtan University (湘潭大学)

XTU is a university in Chairman Mao Zedong’s hometown that has substantially expanded its participation in defence research in recent years. It has been subject to two ‘joint construction’ agreements between the Hunan Provincial Government and defence industry agency SASTIND that are designed to help the university ‘draw out its national defence characteristics’. In the university’s own words, its ‘military-civil fusion characteristics are becoming clearer with each day’, and it increased its spending on military-related projects by 60% from 2017 to 2018, spending over RMB31 million (AUD6 million) in 2018.XTU’s defence research covers areas including materials science, energy, measurement technology and electromagnetic waves. The university has developed partnerships with a major PLA nuclear technology research institution, Northwest Institute of Nuclear Technology, and several defence companies, including subsidiaries of arms manufacturer Norinco Group and defence aviation conglomerate Aero Engine Corporation of China.XTU holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Xiangtan University (湘潭大学)"

Table 987. Table References
Links
https://unitracker.aspi.org.au/universities/xiangtan-university

Xidian University (西安电子科技大学)

Xidian Univeristy is among China’s top universities for research on antennas, radar, electronic countermeasures and computer science. The university is subordinate to the Ministry of Education and is also jointly supervised by defence industry agency SASTIND and defence electronics conglomerate CETC. It claims it has ‘made important contributions to military modernisation’.The university is closely tied to China’s defense industry and the PLA. It runs at least five defence laboratories and partners with the PLA’s signals intelligence organization. Xidian appears to be an important training ground for Chinese military hackers. According to Xidian’s party secretary, the university has had an ‘unbreakable bond with secret intelligence work since its beginning’. It also holds secret-level security credentials that allow it to work on classified weapons projects.

The tag is: misp-galaxy:china-defence-universities="Xidian University (西安电子科技大学)"

Table 988. Table References
Links
https://unitracker.aspi.org.au/universities/xidian-university

Yanshan University (燕山大学)

The university was formed as an offshoot of Harbin Institute of Technology, one of China’s top defence universities, in 1960. The university continues to prioritise defence research and is jointly supervised by the Hebei Provincial Government together with the Ministry of Education, Ministry of Industry and Information Technology and defence industry agency SASTIND.YSU’s Defense Science and Technology Institute was established in 2006 under the support of COSTIND (a defence industry agency that has been replaced by SASTIND) to expand and oversee defence research at the university. The institute has driven the university’s involvement in space-related defence research through the establishment of laboratories such as the Key Laboratory of Fundamental Science of Mechanical Structure and Materials Science Under Extreme Conditions. Four fields of research at YSU are officially designated as defence disciplines: control theory and control science, electrical circuits and systems, mechanical design and theory, and materials science and engineering.The university holds secret-level security credentials.

The tag is: misp-galaxy:china-defence-universities="Yanshan University (燕山大学)"

Table 989. Table References
Links
https://unitracker.aspi.org.au/universities/yanshan-university

Yunnan Normal University (云南师范大学)

YNNU is a Chinese university subordinate to the Yunnan Provincial Government. Since 2013 it has also been supervised by the Ministry of Education. The university has been focused on training teacher since its inception as the Kunming Teachers College (昆明示范学院) in 1950. YNNU now has a broader focus on a variety of humanities, social and natural science disciplines.YNNU is organised into numerous faculties, some of which are relevant for communist party cadre training:

The tag is: misp-galaxy:china-defence-universities="Yunnan Normal University (云南师范大学)"

Table 990. Table References
Links
https://unitracker.aspi.org.au/universities/yunnan-normal-university

Zhejiang University (浙江大学)

ZJU is subordinate to the Ministry of Education and jointly constructed with defence industry agency SASTIND. This arrangement with SASTIND began in 2016 and is designed to deepend the university’s involvement in defence research. The university holds secret-level security credentials, allowing it to work on classified military projects.The university’s total research funding amounts to RMB4.56 billion (AUD940 million) in 2018. It has at least three defence laboratories, with one source claiming that the university had ten key national laboratories (国家重点实验室) as of 2015. These laboratories are involved in research on computer simulations, high-performance computing and control science. The university also carries out cyber security research and receives funding for this work from the MSS, China’s civilian intelligence agency.ZJU cooperates extensively with international universities and companies, with upwards of 40 international joint S&T research labs. The College of Electrical Engineering has joint labs with U.S. companies in key industries, such as Rockwell Automation in the field of information technology, and the National Semiconductor Corporation. Additionally, the university has a joint research lab with U.S company Microsoft.

The tag is: misp-galaxy:china-defence-universities="Zhejiang University (浙江大学)"

Table 991. Table References
Links
https://unitracker.aspi.org.au/universities/zhejiang-university

CONCORDIA Mobile Modelling Framework - Attack Pattern

A list of Techniques in CONCORDIA Mobile Modelling Framework..

CONCORDIA Mobile Modelling Framework - Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Bernardo Santos, OsloMet (Norway) - Prof. Dr. Thanh van Do, Telenor Research (Norway) - Luis Barriga, Ericsson AB (Sweden) - Prof. Boning Feng, OsloMet (Norway) - Van Thuan Do, Wolffia AS (Norway) - Bruno Dzogovic, OsloMet (Norway) - Niels Jacot, Wolffia AS (Norway)

Active Scanning

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Active Scanning"

Gather UE Identity Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Identity Information"

Gather UE Network Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Network Information"

Phishing for Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Phishing for Information"

Social Media Reports

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Social Media Reports"

Develop Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Develop Capabilities"

Obtain Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Obtain Capabilities"

Stage Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Stage Capabilities"

Compromise Accounts

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Accounts"

Acquire Infrastructure

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Acquire Infrastructure"

Compromise Infrastructure

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Infrastructure"

Exploit Public-Facing Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application"

Malicious App from App Store

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from App Store"

Malicious App from Third Party

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from Third Party"

Masquerade as Legitimate Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerade as Legitimate Application"

Exploit via Charging Station or PC

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Charging Station or PC"

Exploit via Radio Interfaces

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Radio Interfaces"

Rogue Cellular Base Station

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Rogue Cellular Base Station"

Insider attacks and human errors

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Insider attacks and human errors"

Trusted Relationship

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Trusted Relationship"

Supply Chain Compromise

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Supply Chain Compromise"

Native Code

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Native Code"

Scheduled Task/Job

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Scheduled Task/Job"

Command-Line Interface

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Command-Line Interface"

Command and Scripting Interpreter

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Command and Scripting Interpreter"

Boot or Logon Autostart Execution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution"

Foreground Persistence

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Foreground Persistence"

Modify Cached Executable Code

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Cached Executable Code"

Compromise Application Executable

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Application Executable"

Modify OS Kernel or Boot Partition

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify OS Kernel or Boot Partition"

Event Triggered Execution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Event Triggered Execution"

Spoofed radio network

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Spoofed radio network"

Infecting network nodes

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Infecting network nodes"

Code Injection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Code Injection"

Process Injection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Process Injection"

Masquerading

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerading"

Disguise Root/Jailbreak Indicators

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Disguise Root/Jailbreak Indicators"

Evade Analysis Environment

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Evade Analysis Environment"

Modify Trusted Execution Environment

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Trusted Execution Environment"

Obfuscated Files or Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Obfuscated Files or Information"

Suppress Application Icon

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Suppress Application Icon"

Uninstall Malicious Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Uninstall Malicious Application"

Install Insecure or Malicious Configuration

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Install Insecure or Malicious Configuration"

Geofencing

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Geofencing"

Shutdown Remote Device

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Shutdown Remote Device"

Exploitation for Defense Evasion

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploitation for Defense Evasion"

Security Audit Camouflage

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Security Audit Camouflage"

Overload Avoidance

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Overload Avoidance"

Traffic Distribution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Traffic Distribution"

URI Hijacking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="URI Hijacking"

Modify Authentication Process

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Authentication Process"

Forced Authentication

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Forced Authentication"

System Network Connections Discovery

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery"

UE knocking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="UE knocking"

Internal Resource Search

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Internal Resource Search"

Network Sniffing

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Sniffing"

Abusing Inter-working Functionalities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Abusing Inter-working Functionalities"

Replication Through SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through SMS"

Replication Through Bluetooth

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through Bluetooth"

Replication Through WLAN

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through WLAN"

Replication Through IP

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through IP"

Exploit platform & service specific vulnerabilites

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit platform & service specific vulnerabilites"

Access Sensitive Data in Device Logs

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Access Sensitive Data in Device Logs"

Network Traffic Capture or Redirection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Traffic Capture or Redirection"

Network-specific identifiers

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific identifiers"

Network-specific data

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific data"

Application Layer Protocol

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Application Layer Protocol"

Communication via SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via SMS"

Communication via Bluetooth

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via Bluetooth"

Communication via WLAN

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via WLAN"

Exploit SS7 to Redirect Phone Calls/SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS"

Exploit SS7 to Track Device Location

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Track Device Location"

SS7-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SS7-based attacks"

Diameter-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Diameter-based attacks"

GTP-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="GTP-based attacks"

NAS-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="NAS-based attacks"

MEC-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="MEC-based attacks"

Network Slice

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Slice"

Automated Exfiltration

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration"

Data Encrypted

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Data Encrypted"

Alternate Network Mediums

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Alternate Network Mediums"

Data Manipulation

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Data Manipulation"

Endpoint Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Endpoint Denial of Service"

Carrier Billing Fraud

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Carrier Billing Fraud"

SMS Fraud

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SMS Fraud"

Manipulate Device Communication

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Manipulate Device Communication"

Jamming or Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Jamming or Denial of Service"

Location Tracking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Location Tracking"

Identity Exploit

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Identity Exploit"

Network Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Denial of Service"

Resource Hijacking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Resource Hijacking"

SLA Breach

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SLA Breach"

Customer Churn

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Customer Churn"

Country

Country meta information based on the database provided by geonames.org..

Country is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: geonames.org

andorra

Andorra

The tag is: misp-galaxy:country="andorra"

united arab emirates

United Arab Emirates

The tag is: misp-galaxy:country="united arab emirates"

afghanistan

Afghanistan

The tag is: misp-galaxy:country="afghanistan"

antigua and barbuda

Antigua and Barbuda

The tag is: misp-galaxy:country="antigua and barbuda"

anguilla

Anguilla

The tag is: misp-galaxy:country="anguilla"

albania

Albania

The tag is: misp-galaxy:country="albania"

armenia

Armenia

The tag is: misp-galaxy:country="armenia"

angola

Angola

The tag is: misp-galaxy:country="angola"

antarctica

Antarctica

The tag is: misp-galaxy:country="antarctica"

argentina

Argentina

The tag is: misp-galaxy:country="argentina"

american samoa

American Samoa

The tag is: misp-galaxy:country="american samoa"

austria

Austria

The tag is: misp-galaxy:country="austria"

australia

Australia

The tag is: misp-galaxy:country="australia"

aruba

Aruba

The tag is: misp-galaxy:country="aruba"

aland islands

Aland Islands

The tag is: misp-galaxy:country="aland islands"

azerbaijan

Azerbaijan

The tag is: misp-galaxy:country="azerbaijan"

bosnia and herzegovina

Bosnia and Herzegovina

The tag is: misp-galaxy:country="bosnia and herzegovina"

barbados

Barbados

The tag is: misp-galaxy:country="barbados"

bangladesh

Bangladesh

The tag is: misp-galaxy:country="bangladesh"

belgium

Belgium

The tag is: misp-galaxy:country="belgium"

burkina faso

Burkina Faso

The tag is: misp-galaxy:country="burkina faso"

bulgaria

Bulgaria

The tag is: misp-galaxy:country="bulgaria"

bahrain

Bahrain

The tag is: misp-galaxy:country="bahrain"

burundi

Burundi

The tag is: misp-galaxy:country="burundi"

benin

Benin

The tag is: misp-galaxy:country="benin"

saint barthelemy

Saint Barthelemy

The tag is: misp-galaxy:country="saint barthelemy"

bermuda

Bermuda

The tag is: misp-galaxy:country="bermuda"

brunei

Brunei

The tag is: misp-galaxy:country="brunei"

bolivia

Bolivia

The tag is: misp-galaxy:country="bolivia"

bonaire, saint eustatius and saba

Bonaire, Saint Eustatius and Saba

The tag is: misp-galaxy:country="bonaire, saint eustatius and saba "

brazil

Brazil

The tag is: misp-galaxy:country="brazil"

bahamas

Bahamas

The tag is: misp-galaxy:country="bahamas"

bhutan

Bhutan

The tag is: misp-galaxy:country="bhutan"

bouvet island

Bouvet Island

The tag is: misp-galaxy:country="bouvet island"

botswana

Botswana

The tag is: misp-galaxy:country="botswana"

belarus

Belarus

The tag is: misp-galaxy:country="belarus"

belize

Belize

The tag is: misp-galaxy:country="belize"

canada

Canada

The tag is: misp-galaxy:country="canada"

cocos islands

Cocos Islands

The tag is: misp-galaxy:country="cocos islands"

democratic republic of the congo

Democratic Republic of the Congo

The tag is: misp-galaxy:country="democratic republic of the congo"

central african republic

Central African Republic

The tag is: misp-galaxy:country="central african republic"

republic of the congo

Republic of the Congo

The tag is: misp-galaxy:country="republic of the congo"

switzerland

Switzerland

The tag is: misp-galaxy:country="switzerland"

ivory coast

Ivory Coast

The tag is: misp-galaxy:country="ivory coast"

cook islands

Cook Islands

The tag is: misp-galaxy:country="cook islands"

chile

Chile

The tag is: misp-galaxy:country="chile"

cameroon

Cameroon

The tag is: misp-galaxy:country="cameroon"

china

China

The tag is: misp-galaxy:country="china"

colombia

Colombia

The tag is: misp-galaxy:country="colombia"

costa rica

Costa Rica

The tag is: misp-galaxy:country="costa rica"

cuba

Cuba

The tag is: misp-galaxy:country="cuba"

cabo verde

Cabo Verde

The tag is: misp-galaxy:country="cabo verde"

curacao

Curacao

The tag is: misp-galaxy:country="curacao"

christmas island

Christmas Island

The tag is: misp-galaxy:country="christmas island"

cyprus

Cyprus

The tag is: misp-galaxy:country="cyprus"

czechia

Czechia

The tag is: misp-galaxy:country="czechia"

germany

Germany

The tag is: misp-galaxy:country="germany"

djibouti

Djibouti

The tag is: misp-galaxy:country="djibouti"

denmark

Denmark

The tag is: misp-galaxy:country="denmark"

dominica

Dominica

The tag is: misp-galaxy:country="dominica"

dominican republic

Dominican Republic

The tag is: misp-galaxy:country="dominican republic"

algeria

Algeria

The tag is: misp-galaxy:country="algeria"

ecuador

Ecuador

The tag is: misp-galaxy:country="ecuador"

estonia

Estonia

The tag is: misp-galaxy:country="estonia"

egypt

Egypt

The tag is: misp-galaxy:country="egypt"

western sahara

Western Sahara

The tag is: misp-galaxy:country="western sahara"

eritrea

Eritrea

The tag is: misp-galaxy:country="eritrea"

spain

Spain

The tag is: misp-galaxy:country="spain"

ethiopia

Ethiopia

The tag is: misp-galaxy:country="ethiopia"

finland

Finland

The tag is: misp-galaxy:country="finland"

fiji

Fiji

The tag is: misp-galaxy:country="fiji"

falkland islands

Falkland Islands

The tag is: misp-galaxy:country="falkland islands"

micronesia

Micronesia

The tag is: misp-galaxy:country="micronesia"

faroe islands

Faroe Islands

The tag is: misp-galaxy:country="faroe islands"

france

France

The tag is: misp-galaxy:country="france"

gabon

Gabon

The tag is: misp-galaxy:country="gabon"

united kingdom

United Kingdom

The tag is: misp-galaxy:country="united kingdom"

grenada

Grenada

The tag is: misp-galaxy:country="grenada"

georgia

Georgia

The tag is: misp-galaxy:country="georgia"

french guiana

French Guiana

The tag is: misp-galaxy:country="french guiana"

guernsey

Guernsey

The tag is: misp-galaxy:country="guernsey"

ghana

Ghana

The tag is: misp-galaxy:country="ghana"

gibraltar

Gibraltar

The tag is: misp-galaxy:country="gibraltar"

greenland

Greenland

The tag is: misp-galaxy:country="greenland"

gambia

Gambia

The tag is: misp-galaxy:country="gambia"

guinea

Guinea

The tag is: misp-galaxy:country="guinea"

guadeloupe

Guadeloupe

The tag is: misp-galaxy:country="guadeloupe"

equatorial guinea

Equatorial Guinea

The tag is: misp-galaxy:country="equatorial guinea"

greece

Greece

The tag is: misp-galaxy:country="greece"

south georgia and the south sandwich islands

South Georgia and the South Sandwich Islands

The tag is: misp-galaxy:country="south georgia and the south sandwich islands"

guatemala

Guatemala

The tag is: misp-galaxy:country="guatemala"

guam

Guam

The tag is: misp-galaxy:country="guam"

guinea-bissau

Guinea-Bissau

The tag is: misp-galaxy:country="guinea-bissau"

guyana

Guyana

The tag is: misp-galaxy:country="guyana"

hong kong

Hong Kong

The tag is: misp-galaxy:country="hong kong"

heard island and mcdonald islands

Heard Island and McDonald Islands

The tag is: misp-galaxy:country="heard island and mcdonald islands"

honduras

Honduras

The tag is: misp-galaxy:country="honduras"

croatia

Croatia

The tag is: misp-galaxy:country="croatia"

haiti

Haiti

The tag is: misp-galaxy:country="haiti"

hungary

Hungary

The tag is: misp-galaxy:country="hungary"

indonesia

Indonesia

The tag is: misp-galaxy:country="indonesia"

ireland

Ireland

The tag is: misp-galaxy:country="ireland"

israel

Israel

The tag is: misp-galaxy:country="israel"

isle of man

Isle of Man

The tag is: misp-galaxy:country="isle of man"

india

India

The tag is: misp-galaxy:country="india"

british indian ocean territory

British Indian Ocean Territory

The tag is: misp-galaxy:country="british indian ocean territory"

iraq

Iraq

The tag is: misp-galaxy:country="iraq"

iran

Iran

The tag is: misp-galaxy:country="iran"

iceland

Iceland

The tag is: misp-galaxy:country="iceland"

italy

Italy

The tag is: misp-galaxy:country="italy"

jersey

Jersey

The tag is: misp-galaxy:country="jersey"

jamaica

Jamaica

The tag is: misp-galaxy:country="jamaica"

jordan

Jordan

The tag is: misp-galaxy:country="jordan"

japan

Japan

The tag is: misp-galaxy:country="japan"

kenya

Kenya

The tag is: misp-galaxy:country="kenya"

kyrgyzstan

Kyrgyzstan

The tag is: misp-galaxy:country="kyrgyzstan"

cambodia

Cambodia

The tag is: misp-galaxy:country="cambodia"

kiribati

Kiribati

The tag is: misp-galaxy:country="kiribati"

comoros

Comoros

The tag is: misp-galaxy:country="comoros"

saint kitts and nevis

Saint Kitts and Nevis

The tag is: misp-galaxy:country="saint kitts and nevis"

north korea

North Korea

The tag is: misp-galaxy:country="north korea"

south korea

South Korea

The tag is: misp-galaxy:country="south korea"

kosovo

Kosovo

The tag is: misp-galaxy:country="kosovo"

kuwait

Kuwait

The tag is: misp-galaxy:country="kuwait"

cayman islands

Cayman Islands

The tag is: misp-galaxy:country="cayman islands"

kazakhstan

Kazakhstan

The tag is: misp-galaxy:country="kazakhstan"

laos

Laos

The tag is: misp-galaxy:country="laos"

lebanon

Lebanon

The tag is: misp-galaxy:country="lebanon"

saint lucia

Saint Lucia

The tag is: misp-galaxy:country="saint lucia"

liechtenstein

Liechtenstein

The tag is: misp-galaxy:country="liechtenstein"

sri lanka

Sri Lanka

The tag is: misp-galaxy:country="sri lanka"

liberia

Liberia

The tag is: misp-galaxy:country="liberia"

lesotho

Lesotho

The tag is: misp-galaxy:country="lesotho"

lithuania

Lithuania

The tag is: misp-galaxy:country="lithuania"

luxembourg

Luxembourg

The tag is: misp-galaxy:country="luxembourg"

latvia

Latvia

The tag is: misp-galaxy:country="latvia"

libya

Libya

The tag is: misp-galaxy:country="libya"

morocco

Morocco

The tag is: misp-galaxy:country="morocco"

monaco

Monaco

The tag is: misp-galaxy:country="monaco"

moldova

Moldova

The tag is: misp-galaxy:country="moldova"

montenegro

Montenegro

The tag is: misp-galaxy:country="montenegro"

saint martin

Saint Martin

The tag is: misp-galaxy:country="saint martin"

madagascar

Madagascar

The tag is: misp-galaxy:country="madagascar"

marshall islands

Marshall Islands

The tag is: misp-galaxy:country="marshall islands"

north macedonia

North Macedonia

The tag is: misp-galaxy:country="north macedonia"

mali

Mali

The tag is: misp-galaxy:country="mali"

myanmar

Myanmar

The tag is: misp-galaxy:country="myanmar"

mongolia

Mongolia

The tag is: misp-galaxy:country="mongolia"

macao

Macao

The tag is: misp-galaxy:country="macao"

northern mariana islands

Northern Mariana Islands

The tag is: misp-galaxy:country="northern mariana islands"

martinique

Martinique

The tag is: misp-galaxy:country="martinique"

mauritania

Mauritania

The tag is: misp-galaxy:country="mauritania"

montserrat

Montserrat

The tag is: misp-galaxy:country="montserrat"

malta

Malta

The tag is: misp-galaxy:country="malta"

mauritius

Mauritius

The tag is: misp-galaxy:country="mauritius"

maldives

Maldives

The tag is: misp-galaxy:country="maldives"

malawi

Malawi

The tag is: misp-galaxy:country="malawi"

mexico

Mexico

The tag is: misp-galaxy:country="mexico"

malaysia

Malaysia

The tag is: misp-galaxy:country="malaysia"

mozambique

Mozambique

The tag is: misp-galaxy:country="mozambique"

namibia

Namibia

The tag is: misp-galaxy:country="namibia"

new caledonia

New Caledonia

The tag is: misp-galaxy:country="new caledonia"

niger

Niger

The tag is: misp-galaxy:country="niger"

norfolk island

Norfolk Island

The tag is: misp-galaxy:country="norfolk island"

nigeria

Nigeria

The tag is: misp-galaxy:country="nigeria"

nicaragua

Nicaragua

The tag is: misp-galaxy:country="nicaragua"

netherlands

Netherlands

The tag is: misp-galaxy:country="netherlands"

norway

Norway

The tag is: misp-galaxy:country="norway"

nepal

Nepal

The tag is: misp-galaxy:country="nepal"

nauru

Nauru

The tag is: misp-galaxy:country="nauru"

niue

Niue

The tag is: misp-galaxy:country="niue"

new zealand

New Zealand

The tag is: misp-galaxy:country="new zealand"

oman

Oman

The tag is: misp-galaxy:country="oman"

panama

Panama

The tag is: misp-galaxy:country="panama"

peru

Peru

The tag is: misp-galaxy:country="peru"

french polynesia

French Polynesia

The tag is: misp-galaxy:country="french polynesia"

papua new guinea

Papua New Guinea

The tag is: misp-galaxy:country="papua new guinea"

philippines

Philippines

The tag is: misp-galaxy:country="philippines"

pakistan

Pakistan

The tag is: misp-galaxy:country="pakistan"

poland

Poland

The tag is: misp-galaxy:country="poland"

saint pierre and miquelon

Saint Pierre and Miquelon

The tag is: misp-galaxy:country="saint pierre and miquelon"

pitcairn

Pitcairn

The tag is: misp-galaxy:country="pitcairn"

puerto rico

Puerto Rico

The tag is: misp-galaxy:country="puerto rico"

palestinian territory

Palestinian Territory

The tag is: misp-galaxy:country="palestinian territory"

portugal

Portugal

The tag is: misp-galaxy:country="portugal"

palau

Palau

The tag is: misp-galaxy:country="palau"

paraguay

Paraguay

The tag is: misp-galaxy:country="paraguay"

qatar

Qatar

The tag is: misp-galaxy:country="qatar"

reunion

Reunion

The tag is: misp-galaxy:country="reunion"

romania

Romania

The tag is: misp-galaxy:country="romania"

serbia

Serbia

The tag is: misp-galaxy:country="serbia"

russia

Russia

The tag is: misp-galaxy:country="russia"

rwanda

Rwanda

The tag is: misp-galaxy:country="rwanda"

saudi arabia

Saudi Arabia

The tag is: misp-galaxy:country="saudi arabia"

solomon islands

Solomon Islands

The tag is: misp-galaxy:country="solomon islands"

seychelles

Seychelles

The tag is: misp-galaxy:country="seychelles"

sudan

Sudan

The tag is: misp-galaxy:country="sudan"

south sudan

South Sudan

The tag is: misp-galaxy:country="south sudan"

sweden

Sweden

The tag is: misp-galaxy:country="sweden"

singapore

Singapore

The tag is: misp-galaxy:country="singapore"

saint helena

Saint Helena

The tag is: misp-galaxy:country="saint helena"

slovenia

Slovenia

The tag is: misp-galaxy:country="slovenia"

svalbard and jan mayen

Svalbard and Jan Mayen

The tag is: misp-galaxy:country="svalbard and jan mayen"

slovakia

Slovakia

The tag is: misp-galaxy:country="slovakia"

sierra leone

Sierra Leone

The tag is: misp-galaxy:country="sierra leone"

san marino

San Marino

The tag is: misp-galaxy:country="san marino"

senegal

Senegal

The tag is: misp-galaxy:country="senegal"

somalia

Somalia

The tag is: misp-galaxy:country="somalia"

suriname

Suriname

The tag is: misp-galaxy:country="suriname"

sao tome and principe

Sao Tome and Principe

The tag is: misp-galaxy:country="sao tome and principe"

el salvador

El Salvador

The tag is: misp-galaxy:country="el salvador"

sint maarten

Sint Maarten

The tag is: misp-galaxy:country="sint maarten"

syria

Syria

The tag is: misp-galaxy:country="syria"

eswatini

Eswatini

The tag is: misp-galaxy:country="eswatini"

turks and caicos islands

Turks and Caicos Islands

The tag is: misp-galaxy:country="turks and caicos islands"

chad

Chad

The tag is: misp-galaxy:country="chad"

french southern territories

French Southern Territories

The tag is: misp-galaxy:country="french southern territories"

togo

Togo

The tag is: misp-galaxy:country="togo"

thailand

Thailand

The tag is: misp-galaxy:country="thailand"

tajikistan

Tajikistan

The tag is: misp-galaxy:country="tajikistan"

tokelau

Tokelau

The tag is: misp-galaxy:country="tokelau"

timor leste

Timor Leste

The tag is: misp-galaxy:country="timor leste"

turkmenistan

Turkmenistan

The tag is: misp-galaxy:country="turkmenistan"

tunisia

Tunisia

The tag is: misp-galaxy:country="tunisia"

tonga

Tonga

The tag is: misp-galaxy:country="tonga"

turkey

Turkey

The tag is: misp-galaxy:country="turkey"

trinidad and tobago

Trinidad and Tobago

The tag is: misp-galaxy:country="trinidad and tobago"

tuvalu

Tuvalu

The tag is: misp-galaxy:country="tuvalu"

taiwan

Taiwan

The tag is: misp-galaxy:country="taiwan"

tanzania

Tanzania

The tag is: misp-galaxy:country="tanzania"

ukraine

Ukraine

The tag is: misp-galaxy:country="ukraine"

uganda

Uganda

The tag is: misp-galaxy:country="uganda"

united states minor outlying islands

United States Minor Outlying Islands

The tag is: misp-galaxy:country="united states minor outlying islands"

united states of america

United States of America

The tag is: misp-galaxy:country="united states of america"

uruguay

Uruguay

The tag is: misp-galaxy:country="uruguay"

uzbekistan

Uzbekistan

The tag is: misp-galaxy:country="uzbekistan"

vatican

Vatican

The tag is: misp-galaxy:country="vatican"

saint vincent and the grenadines

Saint Vincent and the Grenadines

The tag is: misp-galaxy:country="saint vincent and the grenadines"

venezuela

Venezuela

The tag is: misp-galaxy:country="venezuela"

british virgin islands

British Virgin Islands

The tag is: misp-galaxy:country="british virgin islands"

u.s. virgin islands

U.S. Virgin Islands

The tag is: misp-galaxy:country="u.s. virgin islands"

vietnam

Vietnam

The tag is: misp-galaxy:country="vietnam"

vanuatu

Vanuatu

The tag is: misp-galaxy:country="vanuatu"

wallis and futuna

Wallis and Futuna

The tag is: misp-galaxy:country="wallis and futuna"

samoa

Samoa

The tag is: misp-galaxy:country="samoa"

yemen

Yemen

The tag is: misp-galaxy:country="yemen"

mayotte

Mayotte

The tag is: misp-galaxy:country="mayotte"

south africa

South Africa

The tag is: misp-galaxy:country="south africa"

zambia

Zambia

The tag is: misp-galaxy:country="zambia"

zimbabwe

Zimbabwe

The tag is: misp-galaxy:country="zimbabwe"

serbia and montenegro

Serbia and Montenegro

The tag is: misp-galaxy:country="serbia and montenegro"

netherlands antilles

Netherlands Antilles

The tag is: misp-galaxy:country="netherlands antilles"

Cryptominers

A list of cryptominer and cryptojacker malware..

Cryptominers is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Cisco Talos - raw-data

Lemon Duck

The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.

The tag is: misp-galaxy:cryptominers="Lemon Duck"

Lemon Duck is also known as:

Table 992. Table References
Links
https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
https://success.trendmicro.com/solution/000261916
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer
https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/

WannaMine

WannaMine is a cryptojacker that takes advantage of EternalBlue.

The tag is: misp-galaxy:cryptominers="WannaMine"

WannaMine is also known as:

Table 993. Table References
Links
https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE
https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/
https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry

Blue Mockingbird Cryptominer

Blue Mockingbird Crypto miner is a crypto-mining payload within DLLs on Windows Systems.

The tag is: misp-galaxy:cryptominers="Blue Mockingbird Cryptominer"

Table 994. Table References
Links
https://redcanary.com/blog/blue-mockingbird-cryptominer/

Krane

The Krane malware uses SSH brute-force techniques to drop the XMRig cryptominer on the target to mine for the Hashvault pool.

The tag is: misp-galaxy:cryptominers="Krane"

Table 995. Table References
Links
https://cujo.com/threat-alert-krane-malware/

Hezb

“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.

The tag is: misp-galaxy:cryptominers="Hezb"

Table 996. Table References
Links
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

Actor Types

DISARM is a framework designed for describing and understanding disinformation incidents..

Actor Types is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: DISARM Project

data scientist

Person who can wrangle data, implement machine learning algorithms etc

The tag is: misp-galaxy:disarm-actortypes="data scientist"

Table 997. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A001.md

target

Person being targeted by disinformation campaign

The tag is: misp-galaxy:disarm-actortypes="target"

Table 998. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A002.md

trusted authority

Influencer

The tag is: misp-galaxy:disarm-actortypes="trusted authority"

Table 999. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A003.md

activist

The tag is: misp-galaxy:disarm-actortypes="activist"

Table 1000. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A004.md

community group

The tag is: misp-galaxy:disarm-actortypes="community group"

Table 1001. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A005.md

educator

The tag is: misp-galaxy:disarm-actortypes="educator"

Table 1002. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A006.md

factchecker

Someone with the skills to verify whether information posted is factual

The tag is: misp-galaxy:disarm-actortypes="factchecker"

Table 1003. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A007.md

library

The tag is: misp-galaxy:disarm-actortypes="library"

Table 1004. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A008.md

NGO

The tag is: misp-galaxy:disarm-actortypes="NGO"

Table 1005. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A009.md

religious organisation

The tag is: misp-galaxy:disarm-actortypes="religious organisation"

Table 1006. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A010.md

school

The tag is: misp-galaxy:disarm-actortypes="school"

Table 1007. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A011.md

account owner

Anyone who owns an account online

The tag is: misp-galaxy:disarm-actortypes="account owner"

Table 1008. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A012.md

content creator

The tag is: misp-galaxy:disarm-actortypes="content creator"

Table 1009. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A013.md

elves

The tag is: misp-galaxy:disarm-actortypes="elves"

Table 1010. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A014.md

general public

The tag is: misp-galaxy:disarm-actortypes="general public"

Table 1011. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A015.md

influencer

The tag is: misp-galaxy:disarm-actortypes="influencer"

Table 1012. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A016.md

coordinating body

For example the DHS

The tag is: misp-galaxy:disarm-actortypes="coordinating body"

Table 1013. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A017.md

government

Government agencies

The tag is: misp-galaxy:disarm-actortypes="government"

Table 1014. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A018.md

military

The tag is: misp-galaxy:disarm-actortypes="military"

Table 1015. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A019.md

policy maker

The tag is: misp-galaxy:disarm-actortypes="policy maker"

Table 1016. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A020.md

media organisation

The tag is: misp-galaxy:disarm-actortypes="media organisation"

Table 1017. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A021.md

company

The tag is: misp-galaxy:disarm-actortypes="company"

Table 1018. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A022.md

adtech provider

The tag is: misp-galaxy:disarm-actortypes="adtech provider"

Table 1019. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A023.md

developer

The tag is: misp-galaxy:disarm-actortypes="developer"

Table 1020. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A024.md

funding_site_admin

Funding site admin

The tag is: misp-galaxy:disarm-actortypes="funding_site_admin"

Table 1021. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A025.md

games designer

The tag is: misp-galaxy:disarm-actortypes="games designer"

Table 1022. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A026.md

information security

The tag is: misp-galaxy:disarm-actortypes="information security"

Table 1023. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A027.md

platform administrator

The tag is: misp-galaxy:disarm-actortypes="platform administrator"

Table 1024. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A028.md

server admininistrator

The tag is: misp-galaxy:disarm-actortypes="server admininistrator"

Table 1025. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A029.md

platforms

The tag is: misp-galaxy:disarm-actortypes="platforms"

Table 1026. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A030.md

social media platform adminstrator

Person with the authority to make changes to algorithms, take down content etc.

The tag is: misp-galaxy:disarm-actortypes="social media platform adminstrator"

Table 1027. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A031.md

social media platform outreach

The tag is: misp-galaxy:disarm-actortypes="social media platform outreach"

Table 1028. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A032.md

social media platform owner

Person with authority to make changes to a social media company’s business model

The tag is: misp-galaxy:disarm-actortypes="social media platform owner"

Table 1029. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A033.md

Countermeasures

DISARM is a framework designed for describing and understanding disinformation incidents..

Countermeasures is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: DISARM Project

Charge for social media

Include a paid-for privacy option, e.g. pay Facebook for an option of them not collecting your personal information. There are examples of this not working, e.g. most people don’t use proton mail etc.

The tag is: misp-galaxy:disarm-countermeasures="Charge for social media"

Table 1030. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00006.md

Create shared fact-checking database

Share fact-checking resources - tips, responses, countermessages, across respose groups.

The tag is: misp-galaxy:disarm-countermeasures="Create shared fact-checking database"

Table 1031. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00008.md

Educate high profile influencers on best practices

Find online influencers. Provide training in the mechanisms of disinformation, how to spot campaigns, and/or how to contribute to responses by countermessaging, boosting information sites etc.

The tag is: misp-galaxy:disarm-countermeasures="Educate high profile influencers on best practices"

Table 1032. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00009.md

Enhanced privacy regulation for social media

Implement stronger privacy standards, to reduce the ability to microtarget community members.

The tag is: misp-galaxy:disarm-countermeasures="Enhanced privacy regulation for social media"

Table 1033. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00010.md

Media literacy. Games to identify fake news

Create and use games to show people the mechanics of disinformation, and how to counter them.

The tag is: misp-galaxy:disarm-countermeasures="Media literacy. Games to identify fake news"

Table 1034. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00011.md

Platform regulation

Empower existing regulators to govern social media. Also covers Destroy. Includes: Include the role of social media in the regulatory framework for media. The U.S. approach will need to be carefully crafted to protect First Amendment principles, create needed transparency, ensure liability, and impose costs for noncompliance. Includes Create policy that makes social media police disinformation. Includes: Use fraud legislation to clean up social media

The tag is: misp-galaxy:disarm-countermeasures="Platform regulation"

Table 1035. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00012.md

Rating framework for news

This is "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news. Example: journalistic ethics, or journalistic licencing body. Include full transcripts, link source, add items.

The tag is: misp-galaxy:disarm-countermeasures="Rating framework for news"

Table 1036. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00013.md

Real-time updates to fact-checking database

Update fact-checking databases and resources in real time. Especially import for time-limited events like natural disasters.

The tag is: misp-galaxy:disarm-countermeasures="Real-time updates to fact-checking database"

Table 1037. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00014.md

Censorship

Alter and/or block the publication/dissemination of information controlled by disinformation creators. Not recommended.

The tag is: misp-galaxy:disarm-countermeasures="Censorship"

Table 1038. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00016.md

Repair broken social connections

For example, use a media campaign to promote in-group to out-group in person communication / activities . Technique could be in terms of forcing a reality-check by talking to people instead of reading about bogeymen.

The tag is: misp-galaxy:disarm-countermeasures="Repair broken social connections"

Table 1039. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00017.md

Reduce effect of division-enablers

includes Promote constructive communication by shaming division-enablers, and Promote playbooks to call out division-enablers

The tag is: misp-galaxy:disarm-countermeasures="Reduce effect of division-enablers"

Table 1040. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00019.md

Encourage in-person communication

Encourage offline communication

The tag is: misp-galaxy:disarm-countermeasures="Encourage in-person communication"

Table 1041. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00021.md

Innoculate. Positive campaign to promote feeling of safety

Used to counter ability based and fear based attacks

The tag is: misp-galaxy:disarm-countermeasures="Innoculate. Positive campaign to promote feeling of safety"

Table 1042. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00022.md

Promote healthy narratives

Includes promoting constructive narratives i.e. not polarising (e.g. pro-life, pro-choice, pro-USA). Includes promoting identity neutral narratives.

The tag is: misp-galaxy:disarm-countermeasures="Promote healthy narratives"

Table 1043. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00024.md

Shore up democracy based messages

Messages about e.g. peace, freedom. And make it sexy. Includes Deploy Information and Narrative-Building in Service of Statecraft: Promote a narrative of transparency, truthfulness, liberal values, and democracy. Implement a compelling narrative via effective mechanisms of communication. Continually reassess messages, mechanisms, and audiences over time. Counteract efforts to manipulate media, undermine free markets, and suppress political freedoms via public diplomacy

The tag is: misp-galaxy:disarm-countermeasures="Shore up democracy based messages"

Table 1044. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00026.md

Create culture of civility

This is passive. Includes promoting civility as an identity that people will defend.

The tag is: misp-galaxy:disarm-countermeasures="Create culture of civility"

Table 1045. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00027.md

Make information provenance available

Blockchain audit log and validation with collaborative decryption to post comments. Use blockchain technology to require collaborative validation before posts or comments are submitted. This could be used to adjust upvote weight via a trust factor of people and organisations you trust, or other criteria.

The tag is: misp-galaxy:disarm-countermeasures="Make information provenance available"

Table 1046. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00028.md

Create fake website to issue counter narrative and counter narrative through physical merchandise

Create websites in disinformation voids - spaces where people are looking for known disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Create fake website to issue counter narrative and counter narrative through physical merchandise"

Table 1047. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00029.md

Develop a compelling counter narrative (truth based)

The tag is: misp-galaxy:disarm-countermeasures="Develop a compelling counter narrative (truth based)"

Table 1048. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00030.md

Dilute the core narrative - create multiple permutations, target / amplify

Create competing narratives. Included "Facilitate State Propaganda" as diluting the narrative could have an effect on the pro-state narrative used by volunteers, or lower their involvement.

The tag is: misp-galaxy:disarm-countermeasures="Dilute the core narrative - create multiple permutations, target / amplify"

Table 1049. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00031.md

Hijack content and link to truth- based info

Link to platform

The tag is: misp-galaxy:disarm-countermeasures="Hijack content and link to truth- based info"

Table 1050. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00032.md

Create more friction at account creation

Counters fake account

The tag is: misp-galaxy:disarm-countermeasures="Create more friction at account creation"

Table 1051. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00034.md

Infiltrate the in-group to discredit leaders (divide)

All of these would be highly affected by infiltration or false-claims of infiltration.

The tag is: misp-galaxy:disarm-countermeasures="Infiltrate the in-group to discredit leaders (divide)"

Table 1052. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00036.md

third party verification for people

counters fake experts

The tag is: misp-galaxy:disarm-countermeasures="third party verification for people"

Table 1053. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00040.md

Address truth contained in narratives

Focus on and boost truths in misinformation narratives, removing misinformation from them.

The tag is: misp-galaxy:disarm-countermeasures="Address truth contained in narratives"

Table 1054. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00042.md

Keep people from posting to social media immediately

Platforms can introduce friction to slow down activities, force a small delay between posts, or replies to posts.

The tag is: misp-galaxy:disarm-countermeasures="Keep people from posting to social media immediately"

Table 1055. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00044.md

Marginalise and discredit extremist groups

Reduce the credibility of extremist groups posting misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Marginalise and discredit extremist groups"

Table 1056. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00046.md

Honeypot with coordinated inauthentics

Flood disinformation spaces with obviously fake content, to dilute core misinformation narratives in them.

The tag is: misp-galaxy:disarm-countermeasures="Honeypot with coordinated inauthentics"

Table 1057. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00047.md

Name and Shame Influencers

Think about the different levels: individual vs state-sponsored account. Includes “call them out” and “name and shame”. Identify social media accounts as sources of propaganda—“calling them out”— might be helpful to prevent the spread of their message to audiences that otherwise would consider them factual. Identify, monitor, and, if necessary, target externally-based nonattributed social media accounts. Impact of and Dealing with Trolls - "Chatham House has observed that trolls also sometimes function as decoys, as a way of “keeping the infantry busy” that “aims to wear down the other side” (Lough et al., 2014). Another type of troll involves “false accounts posing as authoritative information sources on social media”.

The tag is: misp-galaxy:disarm-countermeasures="Name and Shame Influencers"

Table 1058. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00048.md

Counter social engineering training

Includes anti-elicitation training, phishing prevention education.

The tag is: misp-galaxy:disarm-countermeasures="Counter social engineering training"

Table 1059. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00051.md

Infiltrate platforms

Detect and degrade

The tag is: misp-galaxy:disarm-countermeasures="Infiltrate platforms"

Table 1060. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00052.md

Delete old accounts / Remove unused social media accounts

remove or remove access to (e.g. stop the ability to update) old social media accounts, to reduce the pool of accounts available for takeover, botnets etc.

The tag is: misp-galaxy:disarm-countermeasures="Delete old accounts / Remove unused social media accounts"

Table 1061. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00053.md

Encourage people to leave social media

Encourage people to leave spcial media. We don’t expect this to work

The tag is: misp-galaxy:disarm-countermeasures="Encourage people to leave social media"

Table 1062. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00056.md

Report crowdfunder as violator

counters crowdfunding. Includes ‘Expose online funding as fake”.

The tag is: misp-galaxy:disarm-countermeasures="Report crowdfunder as violator"

Table 1063. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00058.md

Verification of project before posting fund requests

third-party verification of projects posting funding campaigns before those campaigns can be posted.

The tag is: misp-galaxy:disarm-countermeasures="Verification of project before posting fund requests"

Table 1064. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00059.md

Legal action against for-profit engagement factories

Take legal action against for-profit "factories" creating misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Legal action against for-profit engagement factories"

Table 1065. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00060.md

Free open library sources worldwide

Open-source libraries could be created that aid in some way for each technique. Even for Strategic Planning, some open-source frameworks such as DISARM can be created to counter the adversarial efforts.

The tag is: misp-galaxy:disarm-countermeasures="Free open library sources worldwide"

Table 1066. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00062.md

Reduce political targeting

Includes “ban political micro targeting” and “ban political ads”

The tag is: misp-galaxy:disarm-countermeasures="Reduce political targeting"

Table 1067. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00065.md

Co-opt a hashtag and drown it out (hijack it back)

Flood a disinformation-related hashtag with other content.

The tag is: misp-galaxy:disarm-countermeasures="Co-opt a hashtag and drown it out (hijack it back)"

Table 1068. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00066.md

Denigrate the recipient/ project (of online funding)

Reduce the credibility of groups behind misinformation-linked funding campaigns.

The tag is: misp-galaxy:disarm-countermeasures="Denigrate the recipient/ project (of online funding)"

Table 1069. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00067.md

Block access to disinformation resources

Resources = accounts, channels etc. Block access to platform. DDOS an attacker. TA02*: DDOS at the critical time, to deny an adversary’s time-bound objective. T0008: A quick response to a proto-viral story will affect it’s ability to spread and raise questions about their legitimacy. Hashtag: Against the platform, by drowning the hashtag. T0046 - Search Engine Optimisation: Sub-optimal website performance affect its search engine rank, which I interpret as "blocking access to a platform".

The tag is: misp-galaxy:disarm-countermeasures="Block access to disinformation resources"

Table 1070. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00070.md

Block source of pollution

Block websites, accounts, groups etc connected to misinformation and other information pollution.

The tag is: misp-galaxy:disarm-countermeasures="Block source of pollution"

Table 1071. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00071.md

Remove non-relevant content from special interest groups - not recommended

Check special-interest groups (e.g. medical, knitting) for unrelated and misinformation-linked content, and remove it.

The tag is: misp-galaxy:disarm-countermeasures="Remove non-relevant content from special interest groups - not recommended"

Table 1072. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00072.md

Inoculate populations through media literacy training

Use training to build the resilience of at-risk populations. Educate on how to handle info pollution. Push out targeted education on why it’s pollution. Build cultural resistance to false content, e.g. cultural resistance to bullshit. Influence literacy training, to inoculate against “cult” recruiting. Media literacy training: leverage librarians / library for media literacy training. Inoculate at language. Strategic planning included as inoculating population has strategic value. Concepts of media literacy to a mass audience that authorities launch a public information campaign that teaches the programme will take time to develop and establish impact, recommends curriculum-based training. Covers detect, deny, and degrade.

The tag is: misp-galaxy:disarm-countermeasures="Inoculate populations through media literacy training"

Table 1073. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00073.md

Identify and delete or rate limit identical content

C00000

The tag is: misp-galaxy:disarm-countermeasures="Identify and delete or rate limit identical content"

Table 1074. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00074.md

normalise language

normalise the language around disinformation and misinformation; give people the words for artefact and effect types.

The tag is: misp-galaxy:disarm-countermeasures="normalise language"

Table 1075. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00075.md

Prohibit images in political discourse channels

Make political discussion channels text-only.

The tag is: misp-galaxy:disarm-countermeasures="Prohibit images in political discourse channels"

Table 1076. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00076.md

Active defence: run TA15 "develop people” - not recommended

Develop networks of communities and influencers around counter-misinformation. Match them to misinformation creators

The tag is: misp-galaxy:disarm-countermeasures="Active defence: run TA15 "develop people” - not recommended"

Table 1077. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00077.md

Change Search Algorithms for Disinformation Content

Includes “change image search algorithms for hate groups and extremists” and “Change search algorithms for hate and extremist queries to show content sympathetic to opposite side”

The tag is: misp-galaxy:disarm-countermeasures="Change Search Algorithms for Disinformation Content"

Table 1078. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00078.md

Create competing narrative

Create counternarratives, or narratives that compete in the same spaces as misinformation narratives. Could also be degrade

The tag is: misp-galaxy:disarm-countermeasures="Create competing narrative"

Table 1079. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00080.md

Highlight flooding and noise, and explain motivations

Discredit by pointing out the "noise" and informing public that "flooding" is a technique of disinformation campaigns; point out intended objective of "noise"

The tag is: misp-galaxy:disarm-countermeasures="Highlight flooding and noise, and explain motivations"

Table 1080. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00081.md

Ground truthing as automated response to pollution

Also inoculation.

The tag is: misp-galaxy:disarm-countermeasures="Ground truthing as automated response to pollution"

Table 1081. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00082.md

Modify disinformation narratives, and rebroadcast them

Includes “poison pill recasting of message” and “steal their truths”. Many techniques involve promotion which could be manipulated. For example, online fundings or rallies could be advertised, through compromised or fake channels, as being associated with "far-up/down/left/right" actors. "Long Game" narratives could be subjected in a similar way with negative connotations. Can also replay technique T0003.

The tag is: misp-galaxy:disarm-countermeasures="Modify disinformation narratives, and rebroadcast them"

Table 1082. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00084.md

Mute content

Rate-limit disinformation content. Reduces its effects, whilst not running afoul of censorship concerns. Online archives of content (archives of websites, social media profiles, media, copies of published advertisements; or archives of comments attributed to bad actors, as well as anonymized metadata about users who interacted with them and analysis of the effect) is useful for intelligence analysis and public transparency, but will need similar muting or tagging/ shaming as associated with bad actors.

The tag is: misp-galaxy:disarm-countermeasures="Mute content"

Table 1083. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00085.md

Distract from noise with addictive content

Example: Interject addictive links or contents into discussions of disinformation materials and measure a "conversion rate" of users who engage with your content and away from the social media channel’s "information bubble" around the disinformation item. Use bots to amplify and upvote the addictive content.

The tag is: misp-galaxy:disarm-countermeasures="Distract from noise with addictive content"

Table 1084. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00086.md

Make more noise than the disinformation

The tag is: misp-galaxy:disarm-countermeasures="Make more noise than the disinformation"

Table 1085. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00087.md

Fake engagement system

Create honeypots for misinformation creators to engage with, and reduce the resources they have available for misinformation campaigns.

The tag is: misp-galaxy:disarm-countermeasures="Fake engagement system"

Table 1086. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00090.md

Honeypot social community

Set honeypots, e.g. communities, in networks likely to be used for disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Honeypot social community"

Table 1087. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00091.md

Establish a truth teller reputation score for influencers

Includes "Establish a truth teller reputation score for influencers” and “Reputation scores for social media users”. Influencers are individuals or accounts with many followers.

The tag is: misp-galaxy:disarm-countermeasures="Establish a truth teller reputation score for influencers"

Table 1088. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00092.md

Influencer code of conduct

Establish tailored code of conduct for individuals with many followers. Can be platform code of conduct; can also be community code.

The tag is: misp-galaxy:disarm-countermeasures="Influencer code of conduct"

Table 1089. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00093.md

Force full disclosure on corporate sponsor of research

Accountability move: make sure research is published with its funding sources.

The tag is: misp-galaxy:disarm-countermeasures="Force full disclosure on corporate sponsor of research"

Table 1090. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00094.md

Strengthen institutions that are always truth tellers

Increase credibility, visibility, and reach of positive influencers in the information space.

The tag is: misp-galaxy:disarm-countermeasures="Strengthen institutions that are always truth tellers"

Table 1091. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00096.md

Require use of verified identities to contribute to poll or comment

Reduce poll flooding by online taking comments or poll entries from verified accounts.

The tag is: misp-galaxy:disarm-countermeasures="Require use of verified identities to contribute to poll or comment"

Table 1092. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00097.md

Revocation of allowlisted or "verified" status

remove blue checkmarks etc from known misinformation accounts.

The tag is: misp-galaxy:disarm-countermeasures="Revocation of allowlisted or "verified" status"

Table 1093. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00098.md

Strengthen verification methods

Improve content veerification methods available to groups, individuals etc.

The tag is: misp-galaxy:disarm-countermeasures="Strengthen verification methods"

Table 1094. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00099.md

Hashtag jacking

Post large volumes of unrelated content on known misinformation hashtags

The tag is: misp-galaxy:disarm-countermeasures="Hashtag jacking"

Table 1095. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00100.md

Create friction by rate-limiting engagement

Create participant friction. Includes Make repeat voting hard, and throttle number of forwards.

The tag is: misp-galaxy:disarm-countermeasures="Create friction by rate-limiting engagement"

Table 1096. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00101.md

Create a bot that engages / distract trolls

This is reactive, not active measure (honeypots are active). It’s a platform controlled measure.

The tag is: misp-galaxy:disarm-countermeasures="Create a bot that engages / distract trolls"

Table 1097. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00103.md

Buy more advertising than misinformation creators

Shift influence and algorithms by posting more adverts into spaces than misinformation creators.

The tag is: misp-galaxy:disarm-countermeasures="Buy more advertising than misinformation creators"

Table 1098. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00105.md

Click-bait centrist content

Create emotive centrist content that gets more clicks

The tag is: misp-galaxy:disarm-countermeasures="Click-bait centrist content"

Table 1099. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00106.md

Content moderation

includes social media content take-downs, e.g. facebook or Twitter content take-downs

The tag is: misp-galaxy:disarm-countermeasures="Content moderation"

Table 1100. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00107.md

Dampen Emotional Reaction

Reduce emotional responses to misinformation through calming messages, etc.

The tag is: misp-galaxy:disarm-countermeasures="Dampen Emotional Reaction"

Table 1101. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00109.md

Reduce polarisation by connecting and presenting sympathetic renditions of opposite views

The tag is: misp-galaxy:disarm-countermeasures="Reduce polarisation by connecting and presenting sympathetic renditions of opposite views"

Table 1102. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00111.md

"Prove they are not an op!"

Challenge misinformation creators to prove they’re not an information operation.

The tag is: misp-galaxy:disarm-countermeasures=""Prove they are not an op!""

Table 1103. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00112.md

Debunk and defuse a fake expert / credentials.

Debunk fake experts, their credentials, and potentially also their audience quality

The tag is: misp-galaxy:disarm-countermeasures="Debunk and defuse a fake expert / credentials."

Table 1104. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00113.md

Don’t engage with payloads

Stop passing on misinformation

The tag is: misp-galaxy:disarm-countermeasures="Don’t engage with payloads"

Table 1105. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00114.md

Expose actor and intentions

Debunk misinformation creators and posters.

The tag is: misp-galaxy:disarm-countermeasures="Expose actor and intentions"

Table 1106. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00115.md

Provide proof of involvement

Build and post information about groups etc’s involvement in misinformation incidents.

The tag is: misp-galaxy:disarm-countermeasures="Provide proof of involvement"

Table 1107. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00116.md

Downgrade / de-amplify so message is seen by fewer people

Label promote counter to disinformation

The tag is: misp-galaxy:disarm-countermeasures="Downgrade / de-amplify so message is seen by fewer people"

Table 1108. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00117.md

Repurpose images with new text

Add countermessage text to iamges used in misinformation incidents.

The tag is: misp-galaxy:disarm-countermeasures="Repurpose images with new text"

Table 1109. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00118.md

Engage payload and debunk.

debunk misinformation content. Provide link to facts.

The tag is: misp-galaxy:disarm-countermeasures="Engage payload and debunk."

Table 1110. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00119.md

Open dialogue about design of platforms to produce different outcomes

Redesign platforms and algorithms to reduce the effectiveness of disinformation

The tag is: misp-galaxy:disarm-countermeasures="Open dialogue about design of platforms to produce different outcomes"

Table 1111. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00120.md

Tool transparency and literacy for channels people follow.

Make algorithms in platforms explainable, and visible to people using those platforms.

The tag is: misp-galaxy:disarm-countermeasures="Tool transparency and literacy for channels people follow."

Table 1112. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00121.md

Remove or rate limit botnets

reduce the visibility of known botnets online.

The tag is: misp-galaxy:disarm-countermeasures="Remove or rate limit botnets"

Table 1113. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00123.md

Don’t feed the trolls

Don’t engage with individuals relaying misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Don’t feed the trolls"

Table 1114. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00124.md

Prebunking

Produce material in advance of misinformation incidents, by anticipating the narratives used in them, and debunking them.

The tag is: misp-galaxy:disarm-countermeasures="Prebunking"

Table 1115. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00125.md

Social media amber alert

Create an alert system around disinformation and misinformation artefacts, narratives, and incidents

The tag is: misp-galaxy:disarm-countermeasures="Social media amber alert"

Table 1116. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00126.md

Create friction by marking content with ridicule or other "decelerants"

Repost or comment on misinformation artefacts, using ridicule or other content to reduce the likelihood of reposting.

The tag is: misp-galaxy:disarm-countermeasures="Create friction by marking content with ridicule or other "decelerants""

Table 1117. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00128.md

Use banking to cut off access

fiscal sanctions; parallel to counter terrorism

The tag is: misp-galaxy:disarm-countermeasures="Use banking to cut off access"

Table 1118. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00129.md

Mentorship: elders, youth, credit. Learn vicariously.

Train local influencers in countering misinformation.

The tag is: misp-galaxy:disarm-countermeasures="Mentorship: elders, youth, credit. Learn vicariously."

Table 1119. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00130.md

Seize and analyse botnet servers

Take botnet servers offline by seizing them.

The tag is: misp-galaxy:disarm-countermeasures="Seize and analyse botnet servers"

Table 1120. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00131.md

Deplatform Account*

Note: Similar to Deplatform People but less generic. Perhaps both should be left.

The tag is: misp-galaxy:disarm-countermeasures="Deplatform Account*"

Table 1121. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00133.md

Deplatform message groups and/or message boards

Merged two rows here.

The tag is: misp-galaxy:disarm-countermeasures="Deplatform message groups and/or message boards"

Table 1122. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00135.md

Microtarget most likely targets then send them countermessages

Find communities likely to be targetted by misinformation campaigns, and send them countermessages or pointers to information sources.

The tag is: misp-galaxy:disarm-countermeasures="Microtarget most likely targets then send them countermessages"

Table 1123. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00136.md

Spam domestic actors with lawsuits

File multiple lawsuits against known misinformation creators and posters, to distract them from disinformation creation.

The tag is: misp-galaxy:disarm-countermeasures="Spam domestic actors with lawsuits"

Table 1124. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00138.md

Weaponise youtube content matrices

God knows what this is. Keeping temporarily in case we work it out.

The tag is: misp-galaxy:disarm-countermeasures="Weaponise youtube content matrices"

Table 1125. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00139.md

"Bomb" link shorteners with lots of calls

Applies to most of the content used by exposure techniques except "T0055 - Use hashtag”. Applies to analytics

The tag is: misp-galaxy:disarm-countermeasures=""Bomb" link shorteners with lots of calls"

Table 1126. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00140.md

Platform adds warning label and decision point when sharing content

Includes “this has been disproved: do you want to forward it”. Includes “"Hey this story is old" popup when messaging with old URL” - this assumes that this technique is based on visits to an URL shortener or a captured news site that can publish a message of our choice. Includes “mark clickbait visually”.

The tag is: misp-galaxy:disarm-countermeasures="Platform adds warning label and decision point when sharing content"

Table 1127. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00142.md

(botnet) DMCA takedown requests to waste group time

Use copyright infringement claims to remove videos etc.

The tag is: misp-galaxy:disarm-countermeasures="(botnet) DMCA takedown requests to waste group time"

Table 1128. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00143.md

Buy out troll farm employees / offer them jobs

Degrade the infrastructure. Could e.g. pay to not act for 30 days. Not recommended

The tag is: misp-galaxy:disarm-countermeasures="Buy out troll farm employees / offer them jobs"

Table 1129. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00144.md

Make amplification of social media posts expire (e.g. can’t like/ retweet after n days)

Stop new community activity (likes, comments) on old social media posts.

The tag is: misp-galaxy:disarm-countermeasures="Make amplification of social media posts expire (e.g. can’t like/ retweet after n days)"

Table 1130. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00147.md

Add random links to network graphs

If creators are using network analysis to determine how to attack networks, then adding random extra links to those networks might throw that analysis out enough to change attack outcomes. Unsure which DISARM techniques.

The tag is: misp-galaxy:disarm-countermeasures="Add random links to network graphs"

Table 1131. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00148.md

Poison the monitoring & evaluation data

Includes Pollute the AB-testing data feeds: Polluting A/B testing requires knowledge of MOEs and MOPs. A/B testing must be caught early when there is relatively little data available so infiltration of TAs and understanding of how content is migrated from testing to larger audiences is fundamental.

The tag is: misp-galaxy:disarm-countermeasures="Poison the monitoring & evaluation data"

Table 1132. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00149.md

Take pre-emptive action against actors' infrastructure

Align offensive cyber action with information operations and counter disinformation approaches, where appropriate.

The tag is: misp-galaxy:disarm-countermeasures="Take pre-emptive action against actors' infrastructure"

Table 1133. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00153.md

Ask media not to report false information

Train media to spot and respond to misinformation, and ask them not to post or transmit misinformation they’ve found.

The tag is: misp-galaxy:disarm-countermeasures="Ask media not to report false information"

Table 1134. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00154.md

Ban incident actors from funding sites

Ban misinformation creators and posters from funding sites

The tag is: misp-galaxy:disarm-countermeasures="Ban incident actors from funding sites"

Table 1135. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00155.md

Better tell your country or organisation story

Civil engagement activities conducted on the part of EFP forces. NATO should likewise provide support and training, where needed, to local public affairs and other communication personnel. Local government and military public affairs personnel can play their part in creating and disseminating entertaining and sharable content that supports the EFP mission.

The tag is: misp-galaxy:disarm-countermeasures="Better tell your country or organisation story"

Table 1136. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00156.md

Have a disinformation response plan

e.g. Create a campaign plan and toolkit for competition short of armed conflict (this used to be called “the grey zone”). The campaign plan should account for own vulnerabilities and strengths, and not over-rely on any one tool of statecraft or line of effort. It will identify and employ a broad spectrum of national power to deter, compete, and counter (where necessary) other countries’ approaches, and will include understanding of own capabilities, capabilities of disinformation creators, and international standards of conduct to compete in, shrink the size, and ultimately deter use of competition short of armed conflict.

The tag is: misp-galaxy:disarm-countermeasures="Have a disinformation response plan"

Table 1137. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00159.md

find and train influencers

Identify key influencers (e.g. use network analysis), then reach out to identified users and offer support, through either training or resources.

The tag is: misp-galaxy:disarm-countermeasures="find and train influencers"

Table 1138. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00160.md

Coalition Building with stakeholders and Third-Party Inducements

Advance coalitions across borders and sectors, spanning public and private, as well as foreign and domestic, divides. Improve mechanisms to collaborate, share information, and develop coordinated approaches with the private sector at home and allies and partners abroad.

The tag is: misp-galaxy:disarm-countermeasures="Coalition Building with stakeholders and Third-Party Inducements"

Table 1139. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00161.md

Unravel/target the Potemkin villages

Kremlin’s narrative spin extends through constellations of “civil society” organisations, political parties, churches, and other actors. Moscow leverages think tanks, human rights groups, election observers, Eurasianist integration groups, and orthodox groups. A collection of Russian civil society organisations, such as the Federal Agency for the Commonwealth of Independent States Affairs, Compatriots Living Abroad, and International Humanitarian Cooperation, together receive at least US$100 million per year, in addition to government-organized nongovernmental organisations (NGOs), at least 150 of which are funded by Russian presidential grants totaling US$70 million per year.

The tag is: misp-galaxy:disarm-countermeasures="Unravel/target the Potemkin villages"

Table 1140. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00162.md

compatriot policy

protect the interests of this population and, more importantly, influence the population to support pro-Russia causes and effectively influence the politics of its neighbours

The tag is: misp-galaxy:disarm-countermeasures="compatriot policy"

Table 1141. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00164.md

Ensure integrity of official documents

e.g. for leaked legal documents, use court motions to limit future discovery actions

The tag is: misp-galaxy:disarm-countermeasures="Ensure integrity of official documents"

Table 1142. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00165.md

develop a creative content hub

international donors will donate to a basket fund that will pay a committee of local experts who will, in turn, manage and distribute the money to Russian-language producers and broadcasters that pitch various projects.

The tag is: misp-galaxy:disarm-countermeasures="develop a creative content hub"

Table 1143. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00169.md

elevate information as a critical domain of statecraft

Shift from reactive to proactive response, with priority on sharing relevant information with the public and mobilising private-sector engagement. Recent advances in data-driven technologies have elevated information as a source of power to influence the political and economic environment, to foster economic growth, to enable a decision-making advantage over competitors, and to communicate securely and quickly.

The tag is: misp-galaxy:disarm-countermeasures="elevate information as a critical domain of statecraft"

Table 1144. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00170.md

social media source removal

Removing accounts, pages, groups, e.g. facebook page removal

The tag is: misp-galaxy:disarm-countermeasures="social media source removal"

Table 1145. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00172.md

Create a healthier news environment

Free and fair press: create bipartisan, patriotic commitment to press freedom. Note difference between news and editorialising. Build alternative news sources: create alternative local-language news sources to counter local-language propaganda outlets. Delegitimize the 24 hour news cycle. includes Provide an alternative to disinformation content by expanding and improving local content: Develop content that can displace geopolitically-motivated narratives in the entire media environment, both new and old media alike.

The tag is: misp-galaxy:disarm-countermeasures="Create a healthier news environment"

Table 1146. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00174.md

Improve Coordination amongst stakeholders: public and private

Coordinated disinformation challenges are increasingly multidisciplinary, there are few organisations within the national security structures that are equipped with the broad-spectrum capability to effectively counter large-scale conflict short of war tactics in real-time. Institutional hurdles currently impede diverse subject matter experts, hailing from outside of the traditional national security and foreign policy disciplines (e.g., physical science, engineering, media, legal, and economics fields), from contributing to the direct development of national security countermeasures to emerging conflict short of war threat vectors. A Cognitive Security Action Group (CSAG), akin to the Counterterrorism Security Group (CSG), could drive interagency alignment across equivalents of DHS, DoS, DoD, Intelligence Community, and other implementing agencies, in areas including strategic narrative, and the nexus of cyber and information operations.

The tag is: misp-galaxy:disarm-countermeasures="Improve Coordination amongst stakeholders: public and private"

Table 1147. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00176.md

Fill information voids with non-disinformation content

1) Pollute the data voids with wholesome content (Kittens! Babyshark!). 2) fill data voids with relevant information, e.g. increase Russian-language programming in areas subject to Russian disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Fill information voids with non-disinformation content"

Table 1148. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00178.md

Redirection / malware detection/ remediation

Detect redirction or malware, then quarantine or delete.

The tag is: misp-galaxy:disarm-countermeasures="Redirection / malware detection/ remediation"

Table 1149. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00182.md

Media exposure

highlight misinformation activities and actors in media

The tag is: misp-galaxy:disarm-countermeasures="Media exposure"

Table 1150. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00184.md

Newsroom/Journalist training to counter influence moves

Includes SEO influence. Includes promotion of a “higher standard of journalism”: journalism training “would be helpful, especially for the online community. Includes Strengthen local media: Improve effectiveness of local media outlets.

The tag is: misp-galaxy:disarm-countermeasures="Newsroom/Journalist training to counter influence moves"

Table 1151. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00188.md

Ensure that platforms are taking down flagged accounts

Use ongoing analysis/monitoring of "flagged" profiles. Confirm whether platforms are actively removing flagged accounts, and raise pressure via e.g. government organisations to encourage removal

The tag is: misp-galaxy:disarm-countermeasures="Ensure that platforms are taking down flagged accounts"

Table 1152. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00189.md

open engagement with civil society

Government open engagement with civil society as an independent check on government action and messaging. Government seeks to coordinate and synchronise narrative themes with allies and partners while calibrating action in cases where elements in these countries may have been co-opted by competitor nations. Includes “fight in the light”: Use leadership in the arts, entertainment, and media to highlight and build on fundamental tenets of democracy.

The tag is: misp-galaxy:disarm-countermeasures="open engagement with civil society"

Table 1153. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00190.md

Redirect searches away from disinformation or extremist content

Use Google AdWords to identify instances in which people search Google about particular fake-news stories or propaganda themes. Includes Monetize centrist SEO by subsidising the difference in greater clicks towards extremist content.

The tag is: misp-galaxy:disarm-countermeasures="Redirect searches away from disinformation or extremist content"

Table 1154. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00195.md

remove suspicious accounts

Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners.

The tag is: misp-galaxy:disarm-countermeasures="remove suspicious accounts"

Table 1155. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00197.md

Respected figure (influencer) disavows misinfo

FIXIT: standardise language used for influencer/ respected figure.

The tag is: misp-galaxy:disarm-countermeasures="Respected figure (influencer) disavows misinfo"

Table 1156. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00200.md

Set data 'honeytraps'

Set honeytraps in content likely to be accessed for disinformation.

The tag is: misp-galaxy:disarm-countermeasures="Set data 'honeytraps'"

Table 1157. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00202.md

Stop offering press credentials to propaganda outlets

Remove access to official press events from known misinformation actors.

The tag is: misp-galaxy:disarm-countermeasures="Stop offering press credentials to propaganda outlets"

Table 1158. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00203.md

strong dialogue between the federal government and private sector to encourage better reporting

Increase civic resilience by partnering with business community to combat grey zone threats and ensuring adequate reporting and enforcement mechanisms.

The tag is: misp-galaxy:disarm-countermeasures="strong dialogue between the federal government and private sector to encourage better reporting"

Table 1159. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00205.md

Run a competing disinformation campaign - not recommended

The tag is: misp-galaxy:disarm-countermeasures="Run a competing disinformation campaign - not recommended"

Table 1160. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00207.md

Use humorous counter-narratives

The tag is: misp-galaxy:disarm-countermeasures="Use humorous counter-narratives"

Table 1161. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00211.md

build public resilience by making civil society more vibrant

Increase public service experience, and support wider civics and history education.

The tag is: misp-galaxy:disarm-countermeasures="build public resilience by making civil society more vibrant"

Table 1162. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00212.md

Use advertiser controls to stem flow of funds to bad actors

Prevent ad revenue going to disinformation domains

The tag is: misp-galaxy:disarm-countermeasures="Use advertiser controls to stem flow of funds to bad actors"

Table 1163. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00216.md

Add metadata to content that’s out of the control of disinformation creators

Steganography. Adding date, signatures etc to stop issue of photo relabelling etc.

The tag is: misp-galaxy:disarm-countermeasures="Add metadata to content that’s out of the control of disinformation creators"

Table 1164. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00219.md

Develop a monitoring and intelligence plan

Create a plan for misinformation and disinformation response, before it’s needed. Include connections / contacts needed, expected counteremessages etc.

The tag is: misp-galaxy:disarm-countermeasures="Develop a monitoring and intelligence plan"

Table 1165. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00220.md

Run a disinformation red team, and design mitigation factors

Include PACE plans - Primary, Alternate, Contingency, Emergency

The tag is: misp-galaxy:disarm-countermeasures="Run a disinformation red team, and design mitigation factors"

Table 1166. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00221.md

Tabletop simulations

Simulate misinformation and disinformation campaigns, and responses to them, before campaigns happen.

The tag is: misp-galaxy:disarm-countermeasures="Tabletop simulations"

Table 1167. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00222.md

Strengthen Trust in social media platforms

Improve trust in the misinformation responses from social media and other platforms. Examples include creating greater transparancy on their actions and algorithms.

The tag is: misp-galaxy:disarm-countermeasures="Strengthen Trust in social media platforms"

Table 1168. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00223.md

Detections

DISARM is a framework designed for describing and understanding disinformation incidents..

Detections is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: DISARM Project

Analyse aborted / failed campaigns

Examine failed campaigns. How did they fail? Can we create useful activities that increase these failures?

The tag is: misp-galaxy:disarm-detections="Analyse aborted / failed campaigns"

Table 1169. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00001.md

Analyse viral fizzle

We have no idea what this means. Is it something to do with the way a viral story spreads?

The tag is: misp-galaxy:disarm-detections="Analyse viral fizzle"

Table 1170. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00002.md

Exploit counter-intelligence vs bad actors

The tag is: misp-galaxy:disarm-detections="Exploit counter-intelligence vs bad actors"

Table 1171. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00003.md

Recruit like-minded converts "people who used to be in-group"

The tag is: misp-galaxy:disarm-detections="Recruit like-minded converts "people who used to be in-group""

Table 1172. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00004.md

SWOT Analysis of Cognition in Various Groups

Strengths, Weaknesses, Opportunities, Threats analysis of groups and audience segments.

The tag is: misp-galaxy:disarm-detections="SWOT Analysis of Cognition in Various Groups"

Table 1173. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00005.md

SWOT analysis of tech platforms

The tag is: misp-galaxy:disarm-detections="SWOT analysis of tech platforms"

Table 1174. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00006.md

Monitor account level activity in social networks

The tag is: misp-galaxy:disarm-detections="Monitor account level activity in social networks"

Table 1175. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00007.md

Detect abnormal amplification

The tag is: misp-galaxy:disarm-detections="Detect abnormal amplification"

Table 1176. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00008.md

Detect abnormal events

The tag is: misp-galaxy:disarm-detections="Detect abnormal events"

Table 1177. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00009.md

Detect abnormal groups

The tag is: misp-galaxy:disarm-detections="Detect abnormal groups"

Table 1178. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00010.md

Detect abnormal pages

The tag is: misp-galaxy:disarm-detections="Detect abnormal pages"

Table 1179. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00011.md

Detect abnormal profiles, e.g. prolific pages/ groups/ people

The tag is: misp-galaxy:disarm-detections="Detect abnormal profiles, e.g. prolific pages/ groups/ people"

Table 1180. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00012.md

Identify fake news sites

The tag is: misp-galaxy:disarm-detections="Identify fake news sites"

Table 1181. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00013.md

Trace connections

for e.g. fake news sites

The tag is: misp-galaxy:disarm-detections="Trace connections"

Table 1182. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00014.md

Detect anomalies in membership growth patterns

I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched.

The tag is: misp-galaxy:disarm-detections="Detect anomalies in membership growth patterns"

Table 1183. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00015.md

Identify fence-sitters

Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts. In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement.

The tag is: misp-galaxy:disarm-detections="Identify fence-sitters"

Table 1184. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00016.md

Measure emotional valence

The tag is: misp-galaxy:disarm-detections="Measure emotional valence"

Table 1185. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00017.md

Follow the money

track funding sources

The tag is: misp-galaxy:disarm-detections="Follow the money"

Table 1186. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00018.md

Activity resurgence detection (alarm when dormant accounts become activated)

The tag is: misp-galaxy:disarm-detections="Activity resurgence detection (alarm when dormant accounts become activated)"

Table 1187. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00019.md

Detect anomalous activity

The tag is: misp-galaxy:disarm-detections="Detect anomalous activity"

Table 1188. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00020.md

AI/ML automated early detection of campaign planning

The tag is: misp-galaxy:disarm-detections="AI/ML automated early detection of campaign planning"

Table 1189. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00021.md

Digital authority - regulating body (united states)

The tag is: misp-galaxy:disarm-detections="Digital authority - regulating body (united states)"

Table 1190. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00022.md

Periodic verification (counter to hijack legitimate account)

The tag is: misp-galaxy:disarm-detections="Periodic verification (counter to hijack legitimate account)"

Table 1191. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00023.md

Teach civics to kids/ adults/ seniors

The tag is: misp-galaxy:disarm-detections="Teach civics to kids/ adults/ seniors"

Table 1192. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00024.md

Boots-on-the-ground early narrative detection

The tag is: misp-galaxy:disarm-detections="Boots-on-the-ground early narrative detection"

Table 1193. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00025.md

Language anomoly detection

The tag is: misp-galaxy:disarm-detections="Language anomoly detection"

Table 1194. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00026.md

Unlikely correlation of sentiment on same topics

The tag is: misp-galaxy:disarm-detections="Unlikely correlation of sentiment on same topics"

Table 1195. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00027.md

Associate a public key signature with government documents

The tag is: misp-galaxy:disarm-detections="Associate a public key signature with government documents"

Table 1196. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00028.md

Detect proto narratives, i.e. RT, Sputnik

The tag is: misp-galaxy:disarm-detections="Detect proto narratives, i.e. RT, Sputnik"

Table 1197. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00029.md

Early detection and warning - reporting of suspect content

The tag is: misp-galaxy:disarm-detections="Early detection and warning - reporting of suspect content"

Table 1198. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00030.md

Educate on how to identify information pollution

Strategic planning included as innoculating population has strategic value.

The tag is: misp-galaxy:disarm-detections="Educate on how to identify information pollution"

Table 1199. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00031.md

Educate on how to identify to pollution

DUPLICATE - DELETE

The tag is: misp-galaxy:disarm-detections="Educate on how to identify to pollution"

Table 1200. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00032.md

Fake websites: add transparency on business model

The tag is: misp-galaxy:disarm-detections="Fake websites: add transparency on business model"

Table 1201. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00033.md

Flag the information spaces so people know about active flooding effort

The tag is: misp-galaxy:disarm-detections="Flag the information spaces so people know about active flooding effort"

Table 1202. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00034.md

Identify repeated narrative DNA

The tag is: misp-galaxy:disarm-detections="Identify repeated narrative DNA"

Table 1203. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00035.md

Looking for AB testing in unregulated channels

The tag is: misp-galaxy:disarm-detections="Looking for AB testing in unregulated channels"

Table 1204. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00036.md

News content provenance certification.

Original Comment: Shortcomings: intentional falsehood. Doesn’t solve accuracy. Can’t be mandatory. Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news.

The tag is: misp-galaxy:disarm-detections="News content provenance certification."

Table 1205. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00037.md

Social capital as attack vector

Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy’s trap and show a cost to financing/reposting/helping the adversary via public shaming or other means.

The tag is: misp-galaxy:disarm-detections="Social capital as attack vector"

Table 1206. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00038.md

standards to track image/ video deep fakes - industry

The tag is: misp-galaxy:disarm-detections="standards to track image/ video deep fakes - industry"

Table 1207. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00039.md

Unalterable metadata signature on origins of image and provenance

The tag is: misp-galaxy:disarm-detections="Unalterable metadata signature on origins of image and provenance"

Table 1208. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00040.md

Bias detection

Not technically left of boom

The tag is: misp-galaxy:disarm-detections="Bias detection"

Table 1209. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00041.md

Categorise polls by intent

Use T00029, but against the creators

The tag is: misp-galaxy:disarm-detections="Categorise polls by intent"

Table 1210. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00042.md

Monitor for creation of fake known personas

Platform companies and some information security companies (e.g. ZeroFox) do this.

The tag is: misp-galaxy:disarm-detections="Monitor for creation of fake known personas"

Table 1211. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00043.md

Forensic analysis

Can be used in all phases for all techniques.

The tag is: misp-galaxy:disarm-detections="Forensic analysis"

Table 1212. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00044.md

Forensic linguistic analysis

Can be used in all phases for all techniques.

The tag is: misp-galaxy:disarm-detections="Forensic linguistic analysis"

Table 1213. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00045.md

Pump priming analytics

The tag is: misp-galaxy:disarm-detections="Pump priming analytics"

Table 1214. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00046.md

trace involved parties

The tag is: misp-galaxy:disarm-detections="trace involved parties"

Table 1215. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00047.md

Trace known operations and connection

The tag is: misp-galaxy:disarm-detections="Trace known operations and connection"

Table 1216. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00048.md

trace money

The tag is: misp-galaxy:disarm-detections="trace money"

Table 1217. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00049.md

Web cache analytics

The tag is: misp-galaxy:disarm-detections="Web cache analytics"

Table 1218. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00050.md

Challenge expertise

The tag is: misp-galaxy:disarm-detections="Challenge expertise"

Table 1219. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00051.md

Discover sponsors

Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful.

The tag is: misp-galaxy:disarm-detections="Discover sponsors"

Table 1220. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00052.md

Government rumour control office (what can we learn?)

The tag is: misp-galaxy:disarm-detections="Government rumour control office (what can we learn?)"

Table 1221. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00053.md

Restrict people who can @ you on social networks

The tag is: misp-galaxy:disarm-detections="Restrict people who can @ you on social networks"

Table 1222. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00054.md

Verify credentials

The tag is: misp-galaxy:disarm-detections="Verify credentials"

Table 1223. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00055.md

Verify organisation legitimacy

The tag is: misp-galaxy:disarm-detections="Verify organisation legitimacy"

Table 1224. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00056.md

Verify personal credentials of experts

The tag is: misp-galaxy:disarm-detections="Verify personal credentials of experts"

Table 1225. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00057.md

Deplatform (cancel culture)

*Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content. For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc.

The tag is: misp-galaxy:disarm-detections="Deplatform (cancel culture)"

Table 1226. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00058.md

Identify susceptible demographics

All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics.

The tag is: misp-galaxy:disarm-detections="Identify susceptible demographics"

Table 1227. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00059.md

Identify susceptible influencers

I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn’t a transcript error: original note says influencers, as in find people of influence that might be targetted.

The tag is: misp-galaxy:disarm-detections="Identify susceptible influencers"

Table 1228. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00060.md

Microtargeting

The tag is: misp-galaxy:disarm-detections="Microtargeting"

Table 1229. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00061.md

Detect when Dormant account turns active

The tag is: misp-galaxy:disarm-detections="Detect when Dormant account turns active"

Table 1230. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00062.md

Linguistic change analysis

The tag is: misp-galaxy:disarm-detections="Linguistic change analysis"

Table 1231. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00063.md

Monitor reports of account takeover

The tag is: misp-galaxy:disarm-detections="Monitor reports of account takeover"

Table 1232. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00064.md

Sentiment change analysis

The tag is: misp-galaxy:disarm-detections="Sentiment change analysis"

Table 1233. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00065.md

Use language errors, time to respond to account bans and lawsuits, to indicate capabilities

The tag is: misp-galaxy:disarm-detections="Use language errors, time to respond to account bans and lawsuits, to indicate capabilities"

Table 1234. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00066.md

Data forensics

The tag is: misp-galaxy:disarm-detections="Data forensics"

Table 1235. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00067.md

Resonance analysis

a developing methodology for identifying statistical differences in how social groups use language and quantifying how common those statistical differences are within a larger population. In essence, it hypothesises how much affinity might exist for a specific group within a general population, based on the language its members employ

The tag is: misp-galaxy:disarm-detections="Resonance analysis"

Table 1236. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00068.md

Track Russian media and develop analytic methods.

To effectively counter Russian propaganda, it will be critical to track Russian influence efforts. The information requirements are varied and include the following: • Identify fake-news stories and their sources. • Understand narrative themes and content that pervade various Russian media sources. • Understand the broader Russian strategy that underlies tactical propaganda messaging.

The tag is: misp-galaxy:disarm-detections="Track Russian media and develop analytic methods."

Table 1237. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00069.md

Full spectrum analytics

The tag is: misp-galaxy:disarm-detections="Full spectrum analytics"

Table 1238. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00070.md

Network analysis Identify/cultivate/support influencers

Local influencers detected via Twitter networks are likely local influencers in other online and off-line channels as well. In addition, the content and themes gleaned from Russia and Russia-supporting populations, as well as anti-Russia activists, likely swirl in other online and off-line mediums as well.

The tag is: misp-galaxy:disarm-detections="Network analysis Identify/cultivate/support influencers"

Table 1239. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00071.md

network analysis to identify central users in the pro-Russia activist community.

It is possible that some of these are bots or trolls and could be flagged for suspension for violating Twitter’s terms of service.

The tag is: misp-galaxy:disarm-detections="network analysis to identify central users in the pro-Russia activist community."

Table 1240. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00072.md

collect intel/recon on black/covert content creators/manipulators

Players at the level of covert attribution, referred to as “black” in the grayscale of deniability, produce content on user-generated media, such as YouTube, but also add fear-mongering commentary to and amplify content produced by others and supply exploitable content to data dump websites. These activities are conducted by a network of trolls, bots, honeypots, and hackers.

The tag is: misp-galaxy:disarm-detections="collect intel/recon on black/covert content creators/manipulators"

Table 1241. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00073.md

identify relevant fence-sitter communities

brand ambassador programmes could be used with influencers across a variety of social media channels. It could also target other prominent experts, such as academics, business leaders, and other potentially prominent people. Authorities must ultimately take care in implementing such a programme given the risk that contact with U.S. or NATO authorities might damage influencer reputations. Engagements must consequently be made with care, and, if possible, government interlocutors should work through local NGOs.

The tag is: misp-galaxy:disarm-detections="identify relevant fence-sitter communities"

Table 1242. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00074.md

leverage open-source information

significant amounts of quality open-source information are now available and should be leveraged to build products and analysis prior to problem prioritisation in the areas of observation, attribution, and intent. Successfully distinguishing the grey zone campaign signal through the global noise requires action through the entirety of the national security community. Policy, process, and tools must all adapt and evolve to detect, discern, and act upon a new type of signal

The tag is: misp-galaxy:disarm-detections="leverage open-source information"

Table 1243. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00075.md

Monitor/collect audience engagement data connected to “useful idiots”

Target audience connected to "useful idiots rather than the specific profiles because - The active presence of such sources complicates targeting of Russian propaganda, given that it is often difficult to discriminate between authentic views and opinions on the internet and those disseminated by the Russian state.

The tag is: misp-galaxy:disarm-detections="Monitor/collect audience engagement data connected to “useful idiots”"

Table 1244. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00076.md

Model for bot account behaviour

Bot account: action based, people. Unsure which DISARM techniques.

The tag is: misp-galaxy:disarm-detections="Model for bot account behaviour"

Table 1245. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00077.md

Network anomaly detection

The tag is: misp-galaxy:disarm-detections="Network anomaly detection"

Table 1246. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00079.md

Hack the polls/ content yourself

Two wrongs don’t make a right? But if you hack your own polls, you do learn how it could be done, and learn what to look for

The tag is: misp-galaxy:disarm-detections="Hack the polls/ content yourself"

Table 1247. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00080.md

Need way for end user to report operations

The tag is: misp-galaxy:disarm-detections="Need way for end user to report operations"

Table 1248. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00081.md

Control the US "slang" translation boards

The tag is: misp-galaxy:disarm-detections="Control the US "slang" translation boards"

Table 1249. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00082.md

Build and own meme generator, then track and watermark contents

The tag is: misp-galaxy:disarm-detections="Build and own meme generator, then track and watermark contents"

Table 1250. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00083.md

Track individual bad actors

The tag is: misp-galaxy:disarm-detections="Track individual bad actors"

Table 1251. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00084.md

detection of a weak signal through global noise

Grey zone threats are challenging given that warning requires detection of a weak signal through global noise and across threat vectors and regional boundaries.Three interconnected grey zone elements characterise the nature of the activity: Temporality: The nature of grey zone threats truly requires a “big picture view” over long timescales and across regions and functional topics. Attribution: requiring an “almost certain” or “nearly certain analytic assessment before acting costs time and analytic effort Intent: judgement of adversarial intent to conduct grey zone activity. Indeed, the purpose of countering grey zone threats is to deter adversaries from fulfilling their intent to act. While attribution is one piece of the puzzle, closing the space around intent often means synthesising multiple relevant indicators and warnings, including the state’s geopolitical ambitions, military ties, trade and investment, level of corruption, and media landscape, among others.

The tag is: misp-galaxy:disarm-detections="detection of a weak signal through global noise"

Table 1252. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00085.md

Outpace Competitor Intelligence Capabilities

Develop an intelligence-based understanding of foreign actors’ motivations, psychologies, and societal and geopolitical contexts. Leverage artificial intelligence to identify patterns and infer competitors’ intent

The tag is: misp-galaxy:disarm-detections="Outpace Competitor Intelligence Capabilities"

Table 1253. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00086.md

Improve Indications and Warning

United States has not adequately adapted its information indicators and thresholds for warning policymakers to account for grey zone tactics. Competitors have undertaken a marked shift to slow-burn, deceptive, non-military, and indirect challenges to U.S. interests. Relative to traditional security indicators and warnings, these are more numerous and harder to detect and make it difficult for analysts to infer intent.

The tag is: misp-galaxy:disarm-detections="Improve Indications and Warning"

Table 1254. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00087.md

Revitalise an “active measures working group,”

Recognise campaigns from weak signals, including rivals’ intent, capability, impact, interactive effects, and impact on U.S. interests… focus on adversarial covert action aspects of campaigning.

The tag is: misp-galaxy:disarm-detections="Revitalise an “active measures working group,”"

Table 1255. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00088.md

target/name/flag "grey zone" website content

"Grey zone" is second level of content producers and circulators, composed of outlets with uncertain attribution. This category covers conspiracy websites, far-right or far-left websites, news aggregators, and data dump websites

The tag is: misp-galaxy:disarm-detections="target/name/flag "grey zone" website content"

Table 1256. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00089.md

Match Punitive Tools with Third-Party Inducements

Bring private sector and civil society into accord on U.S. interests

The tag is: misp-galaxy:disarm-detections="Match Punitive Tools with Third-Party Inducements"

Table 1257. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00090.md

Partner to develop analytic methods & tools

This might include working with relevant technology firms to ensure that contracted analytic support is available. Contracted support is reportedly valuable because technology to monitor social media data is continually evolving, and such firms can provide the expertise to help identify and analyse trends, and they can more effectively stay abreast of the changing systems and develop new models as they are required

The tag is: misp-galaxy:disarm-detections="Partner to develop analytic methods & tools"

Table 1258. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00091.md

daylight

Warn social media companies about an ongoing campaign (e.g. antivax sites). Anyone with datasets or data summaries can help with this

The tag is: misp-galaxy:disarm-detections="daylight"

Table 1259. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00092.md

S4d detection and re-allocation approaches

S4D is a way to separate out different speakers in text, audio.

The tag is: misp-galaxy:disarm-detections="S4d detection and re-allocation approaches"

Table 1260. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00093.md

Registries alert when large batches of newsy URLs get registered together

The tag is: misp-galaxy:disarm-detections="Registries alert when large batches of newsy URLs get registered together"

Table 1261. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00094.md

Fact checking

Process suspicious artefacts, narratives, and incidents

The tag is: misp-galaxy:disarm-detections="Fact checking"

Table 1262. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00095.md

Techniques

DISARM is a framework designed for describing and understanding disinformation incidents..

Techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: DISARM Project

Facilitate State Propaganda

Organise citizens around pro-state messaging. Coordinate paid or volunteer groups to push state propaganda.

The tag is: misp-galaxy:disarm-techniques="Facilitate State Propaganda"

Table 1263. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0002.md

Leverage Existing Narratives

Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices.

The tag is: misp-galaxy:disarm-techniques="Leverage Existing Narratives"

Table 1264. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0003.md

Develop Competing Narratives

Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centred on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on. These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach.

The tag is: misp-galaxy:disarm-techniques="Develop Competing Narratives"

Table 1265. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0004.md

Create Inauthentic Social Media Pages and Groups

Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets. Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are.

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Social Media Pages and Groups"

Table 1266. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0007.md

Create Fake Experts

Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself.

The tag is: misp-galaxy:disarm-techniques="Create Fake Experts"

Table 1267. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0009.md

Utilise Academic/Pseudoscientific Justifications

The tag is: misp-galaxy:disarm-techniques="Utilise Academic/Pseudoscientific Justifications"

Table 1268. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0009.001.md

Cultivate Ignorant Agents

Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents".

The tag is: misp-galaxy:disarm-techniques="Cultivate Ignorant Agents"

Table 1269. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0010.md

Create Inauthentic Websites

Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations.

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Websites"

Table 1270. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0013.md

Prepare Fundraising Campaigns

Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities.

The tag is: misp-galaxy:disarm-techniques="Prepare Fundraising Campaigns"

Table 1271. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.md

Raise Funds from Malign Actors

Raising funds from malign actors may include contributions from foreign agents, cutouts or proxies, shell companies, dark money groups, etc.

The tag is: misp-galaxy:disarm-techniques="Raise Funds from Malign Actors"

Table 1272. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.001.md

Raise Funds from Ignorant Agents

Raising funds from ignorant agents may include scams, donations intended for one stated purpose but then used for another, etc.

The tag is: misp-galaxy:disarm-techniques="Raise Funds from Ignorant Agents"

Table 1273. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.002.md

Create Hashtags and Search Artefacts

Create one or more hashtags and/or hashtag groups. Many incident-based campaigns will create hashtags to promote their fabricated event. Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name!, and 2. Publicise the story more widely through trending lists and search behaviour. Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites).

The tag is: misp-galaxy:disarm-techniques="Create Hashtags and Search Artefacts"

Table 1274. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0015.md

Create Clickbait

Create attention grabbing headlines (outrage, doubt, humour) required to drive traffic & engagement. This is a key asset.

The tag is: misp-galaxy:disarm-techniques="Create Clickbait"

Table 1275. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0016.md

Conduct Fundraising

Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services166 on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns to promote operation messaging while raising money to support its activities.

The tag is: misp-galaxy:disarm-techniques="Conduct Fundraising"

Table 1276. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0017.md

Conduct Crowdfunding Campaigns

An influence operation may Conduct Crowdfunding Campaigns on platforms such as GoFundMe, GiveSendGo, Tipeee, Patreon, etc.

The tag is: misp-galaxy:disarm-techniques="Conduct Crowdfunding Campaigns"

Table 1277. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0017.001.md

Purchase Targeted Advertisements

Create or fund advertisements targeted at specific populations

The tag is: misp-galaxy:disarm-techniques="Purchase Targeted Advertisements"

Table 1278. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0018.md

Trial Content

Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates

The tag is: misp-galaxy:disarm-techniques="Trial Content"

Table 1279. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0020.md

Leverage Conspiracy Theory Narratives

"Conspiracy narratives" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalised or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the "firehose of falsehoods" model.

The tag is: misp-galaxy:disarm-techniques="Leverage Conspiracy Theory Narratives"

Table 1280. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.md

Amplify Existing Conspiracy Theory Narratives

An influence operation may amplify an existing conspiracy theory narrative that aligns with its incident or campaign goals. By amplifying existing conspiracy theory narratives, operators can leverage the power of the existing communities that support and propagate those theories without needing to expend resources creating new narratives or building momentum and buy in around new narratives.

The tag is: misp-galaxy:disarm-techniques="Amplify Existing Conspiracy Theory Narratives"

Table 1281. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.001.md

Develop Original Conspiracy Theory Narratives

While this requires more resources than amplifying existing conspiracy theory narratives, an influence operation may develop original conspiracy theory narratives in order to achieve greater control and alignment over the narrative and their campaign goals. Prominent examples include the USSR’s Operation INFEKTION disinformation campaign run by the KGB in the 1980s to plant the idea that the United States had invented HIV/AIDS as part of a biological weapons research project at Fort Detrick, Maryland. More recently, Fort Detrick featured prominently in a new conspiracy theory narratives around the origins of the COVID-19 outbreak and pandemic.

The tag is: misp-galaxy:disarm-techniques="Develop Original Conspiracy Theory Narratives"

Table 1282. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.002.md

Distort Facts

Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content

The tag is: misp-galaxy:disarm-techniques="Distort Facts"

Table 1283. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.md

Reframe Context

Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions.

The tag is: misp-galaxy:disarm-techniques="Reframe Context"

Table 1284. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.001.md

Edit Open-Source Content

An influence operation may edit open-source content, such as collaborative blogs or encyclopaedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets.

The tag is: misp-galaxy:disarm-techniques="Edit Open-Source Content"

Table 1285. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.002.md

Online Polls

Create fake online polls, or manipulate existing online polls. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well

The tag is: misp-galaxy:disarm-techniques="Online Polls"

Table 1286. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0029.md

Bait Influencer

Influencers are people on social media platforms who have large audiences.

Threat Actors can try to trick Influencers such as celebrities, journalists, or local leaders who aren’t associated with their campaign into amplifying campaign content. This gives them access to the Influencer’s audience without having to go through the effort of building it themselves, and it helps legitimise their message by associating it with the Influencer, benefitting from their audience’s trust in them.

The tag is: misp-galaxy:disarm-techniques="Bait Influencer"

Table 1287. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0039.md

Demand Insurmountable Proof

Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the "firehose of misinformation". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of "questions" while the truth teller is burdened with higher and higher standards of proof.

The tag is: misp-galaxy:disarm-techniques="Demand Insurmountable Proof"

Table 1288. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0040.md

Seed Kernel of Truth

Wrap lies or altered context/facts around truths. Influence campaigns pursue a variety of objectives with respect to target audiences, prominent among them: 1. undermine a narrative commonly referenced in the target audience; or 2. promote a narrative less common in the target audience, but preferred by the attacker. In both cases, the attacker is presented with a heavy lift. They must change the relative importance of various narratives in the interpretation of events, despite contrary tendencies. When messaging makes use of factual reporting to promote these adjustments in the narrative space, they are less likely to be dismissed out of hand; when messaging can juxtapose a (factual) truth about current affairs with the (abstract) truth explicated in these narratives, propagandists can undermine or promote them selectively. Context matters.

The tag is: misp-galaxy:disarm-techniques="Seed Kernel of Truth"

Table 1289. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0042.md

Chat Apps

Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety.

The tag is: misp-galaxy:disarm-techniques="Chat Apps"

Table 1290. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.md

Use Encrypted Chat Apps

Examples include Signal, WhatsApp, Discord, Wire, etc.

The tag is: misp-galaxy:disarm-techniques="Use Encrypted Chat Apps"

Table 1291. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.001.md

Use Unencrypted Chats Apps

Examples include SMS, etc.

The tag is: misp-galaxy:disarm-techniques="Use Unencrypted Chats Apps"

Table 1292. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.002.md

Seed Distortions

Try a wide variety of messages in the early hours surrounding an incident or event, to give a misleading account or impression.

The tag is: misp-galaxy:disarm-techniques="Seed Distortions"

Table 1293. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0044.md

Use Fake Experts

Use the fake experts that were set up during Establish Legitimacy. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias

The tag is: misp-galaxy:disarm-techniques="Use Fake Experts"

Table 1294. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0045.md

Use Search Engine Optimisation

Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO"

The tag is: misp-galaxy:disarm-techniques="Use Search Engine Optimisation"

Table 1295. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0046.md

Censor Social Media as a Political Force

Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports).

The tag is: misp-galaxy:disarm-techniques="Censor Social Media as a Political Force"

Table 1296. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0047.md

Harass

Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content.

The tag is: misp-galaxy:disarm-techniques="Harass"

Table 1297. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.md

Boycott/"Cancel" Opponents

Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organisation, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasising an adversary’s problematic or disputed behaviour and presenting its own content as an alternative.

The tag is: misp-galaxy:disarm-techniques="Boycott/"Cancel" Opponents"

Table 1298. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.001.md

Harass People Based on Identities

Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.

The tag is: misp-galaxy:disarm-techniques="Harass People Based on Identities"

Table 1299. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.002.md

Threaten to Dox

Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.

The tag is: misp-galaxy:disarm-techniques="Threaten to Dox"

Table 1300. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.003.md

Dox

The tag is: misp-galaxy:disarm-techniques="Dox"

Table 1301. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.004.md

Flood Information Space

Flooding sources of information (e.g. Social Media feeds) with a high volume of inauthentic content.

This can be done to control/shape online conversations, drown out opposing points of view, or make it harder to find legitimate information.

Bots and/or patriotic trolls are effective tools to achieve this effect.

This Technique previously used the name Flooding the Information Space.

The tag is: misp-galaxy:disarm-techniques="Flood Information Space"

Table 1302. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.md

Trolls Amplify and Manipulate

Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it’s easier to amplify existing content than create new/original content. Trolls operate where ever there’s a socially divisive issue (issues that can/are be politicized).

The tag is: misp-galaxy:disarm-techniques="Trolls Amplify and Manipulate"

Table 1303. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.001.md

Flood Existing Hashtag

Hashtags can be used by communities to collate information they post about particular topics (such as their interests, or current events) and users can find communities to join by exploring hashtags they’re interested in.

Threat actors can flood an existing hashtag to try to ruin hashtag functionality, posting content unrelated to the hashtag alongside it, making it a less reliable source of relevant information. They may also try to flood existing hashtags with campaign content, with the intent of maximising exposure to users.

This Technique covers cases where threat actors flood existing hashtags with campaign content.

This Technique covers behaviours previously documented by T0019.002: Hijack Hashtags, which has since been deprecated. This Technique was previously called Hijack Existing Hashtag.

The tag is: misp-galaxy:disarm-techniques="Flood Existing Hashtag"

Table 1304. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.002.md

Bots Amplify via Automated Forwarding and Reposting

Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it’s more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.

The tag is: misp-galaxy:disarm-techniques="Bots Amplify via Automated Forwarding and Reposting"

Table 1305. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.003.md

Utilise Spamoflauge

Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, "you’ve w0n our jackp0t!". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging.

The tag is: misp-galaxy:disarm-techniques="Utilise Spamoflauge"

Table 1306. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.004.md

Conduct Swarming

Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centres exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach.

The tag is: misp-galaxy:disarm-techniques="Conduct Swarming"

Table 1307. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.005.md

Conduct Keyword Squatting

Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term.

The tag is: misp-galaxy:disarm-techniques="Conduct Keyword Squatting"

Table 1308. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.006.md

Inauthentic Sites Amplify News and Narratives

Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.

The tag is: misp-galaxy:disarm-techniques="Inauthentic Sites Amplify News and Narratives"

Table 1309. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.007.md

Generate Information Pollution

Information Pollution occurs when threat actors attempt to ruin a source of information by flooding it with lots of inauthentic or unreliable content, intending to make it harder for legitimate users to find the information they’re looking for.

This subtechnique’s objective is to reduce exposure to target information, rather than promoting exposure to campaign content, for which the parent technique T0049 can be used.

Analysts will need to infer what the motive for flooding an information space was when deciding whether to use T0049 or T0049.008 to tag a case when an information space is flooded. If such inference is not possible, default to T0049.

This Technique previously used the ID T0019.

The tag is: misp-galaxy:disarm-techniques="Generate Information Pollution"

Table 1310. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.008.md

Organise Events

Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.

The tag is: misp-galaxy:disarm-techniques="Organise Events"

Table 1311. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.md

Pay for Physical Action

Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest.

The tag is: misp-galaxy:disarm-techniques="Pay for Physical Action"

Table 1312. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.001.md

Conduct Symbolic Action

Symbolic action refers to activities specifically intended to advance an operation’s narrative by signalling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space.

The tag is: misp-galaxy:disarm-techniques="Conduct Symbolic Action"

Table 1313. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.002.md

Play the Long Game

Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative.

The tag is: misp-galaxy:disarm-techniques="Play the Long Game"

Table 1314. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0059.md

Continue to Amplify

continue narrative or message amplification after the main incident work has finished

The tag is: misp-galaxy:disarm-techniques="Continue to Amplify"

Table 1315. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0060.md

Sell Merchandise

Sell mechandise refers to getting the message or narrative into physical space in the offline world while making money

The tag is: misp-galaxy:disarm-techniques="Sell Merchandise"

Table 1316. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0061.md

Prepare Physical Broadcast Capabilities

Create or coopt broadcast capabilities (e.g. TV, radio etc).

The tag is: misp-galaxy:disarm-techniques="Prepare Physical Broadcast Capabilities"

Table 1317. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0065.md

Degrade Adversary

Plan to degrade an adversary’s image or ability to act. This could include preparation and use of harmful information about the adversary’s actions or reputation.

The tag is: misp-galaxy:disarm-techniques="Degrade Adversary"

Table 1318. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0066.md

Respond to Breaking News Event or Active Crisis

Media attention on a story or event is heightened during a breaking news event, where unclear facts and incomplete information increase speculation, rumours, and conspiracy theories, which are all vulnerable to manipulation.

The tag is: misp-galaxy:disarm-techniques="Respond to Breaking News Event or Active Crisis"

Table 1319. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0068.md

Segment Audiences

Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics.

The tag is: misp-galaxy:disarm-techniques="Segment Audiences"

Table 1320. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.md

Geographic Segmentation

An influence operation may target populations in a specific geographic location, such as a region, state, or city. An influence operation may use geographic segmentation to Create Localised Content (see: Establish Legitimacy).

The tag is: misp-galaxy:disarm-techniques="Geographic Segmentation"

Table 1321. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.001.md

Demographic Segmentation

An influence operation may target populations based on demographic segmentation, including age, gender, and income. Demographic segmentation may be useful for influence operations aiming to change state policies that affect a specific population sector. For example, an influence operation attempting to influence Medicare funding in the United States would likely target U.S. voters over 65 years of age.

The tag is: misp-galaxy:disarm-techniques="Demographic Segmentation"

Table 1322. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.002.md

Economic Segmentation

An influence operation may target populations based on their income bracket, wealth, or other financial or economic division.

The tag is: misp-galaxy:disarm-techniques="Economic Segmentation"

Table 1323. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.003.md

Psychographic Segmentation

An influence operation may target populations based on psychographic segmentation, which uses audience values and decision-making processes. An operation may individually gather psychographic data with its own surveys or collection tools or externally purchase data from social media companies or online surveys, such as personality quizzes.

The tag is: misp-galaxy:disarm-techniques="Psychographic Segmentation"

Table 1324. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.004.md

Political Segmentation

An influence operation may target populations based on their political affiliations, especially when aiming to manipulate voting or change policy.

The tag is: misp-galaxy:disarm-techniques="Political Segmentation"

Table 1325. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.005.md

Determine Target Audiences

Determining the target audiences (segments of the population) who will receive campaign narratives and artefacts intended to achieve the strategic ends.

The tag is: misp-galaxy:disarm-techniques="Determine Target Audiences"

Table 1326. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0073.md

Determine Strategic Ends

These are the long-term end-states the campaign aims to bring about. They typically involve an advantageous position vis-a-vis competitors in terms of power or influence. The strategic goal may be to improve or simply to hold one’s position. Competition occurs in the public sphere in the domains of war, diplomacy, politics, economics, and ideology, and can play out between armed groups, nation-states, political parties, corporations, interest groups, or individuals.

The tag is: misp-galaxy:disarm-techniques="Determine Strategic Ends"

Table 1327. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.md

Geopolitical Advantage

Favourable position on the international stage in terms of great power politics or regional rivalry. Geopolitics plays out in the realms of foreign policy, national security, diplomacy, and intelligence. It involves nation-state governments, heads of state, foreign ministers, intergovernmental organisations, and regional security alliances.

The tag is: misp-galaxy:disarm-techniques="Geopolitical Advantage"

Table 1328. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.001.md

Domestic Political Advantage

Favourable position vis-à-vis national or sub-national political opponents such as political parties, interest groups, politicians, candidates.

The tag is: misp-galaxy:disarm-techniques="Domestic Political Advantage"

Table 1329. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.002.md

Economic Advantage

Favourable position domestically or internationally in the realms of commerce, trade, finance, industry. Economics involves nation-states, corporations, banks, trade blocs, industry associations, cartels.

The tag is: misp-galaxy:disarm-techniques="Economic Advantage"

Table 1330. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.003.md

Ideological Advantage

Favourable position domestically or internationally in the market for ideas, beliefs, and world views. Competition plays out among faith systems, political systems, and value systems. It can involve sub-national, national or supra-national movements.

The tag is: misp-galaxy:disarm-techniques="Ideological Advantage"

Table 1331. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.004.md

Dismiss

Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biassed.

The tag is: misp-galaxy:disarm-techniques="Dismiss"

Table 1332. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0075.md

Discredit Credible Sources

Plan to delegitimize the media landscape and degrade public trust in reporting, by discrediting credible sources. This makes it easier to promote influence operation content.

The tag is: misp-galaxy:disarm-techniques="Discredit Credible Sources"

Table 1333. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0075.001.md

Distort

Twist the narrative. Take information, or artefacts like images, and change the framing around them.

The tag is: misp-galaxy:disarm-techniques="Distort"

Table 1334. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0076.md

Distract

Shift attention to a different narrative or actor, for instance by accusing critics of the same activity that they’ve accused you of (e.g. police brutality).

The tag is: misp-galaxy:disarm-techniques="Distract"

Table 1335. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0077.md

Dismay

Threaten the critic or narrator of events. For instance, threaten journalists or news outlets reporting on a story.

The tag is: misp-galaxy:disarm-techniques="Dismay"

Table 1336. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0078.md

Divide

Create conflict between subgroups, to widen divisions in a community

The tag is: misp-galaxy:disarm-techniques="Divide"

Table 1337. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0079.md

Map Target Audience Information Environment

Mapping the target audience information environment analyses the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience. Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.

The tag is: misp-galaxy:disarm-techniques="Map Target Audience Information Environment"

Table 1338. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.md

Monitor Social Media Analytics

An influence operation may use social media analytics to determine which factors will increase the operation content’s exposure to its target audience on social media platforms, including views, interactions, and sentiment relating to topics and content types. The social media platform itself or a third-party tool may collect the metrics.

The tag is: misp-galaxy:disarm-techniques="Monitor Social Media Analytics"

Table 1339. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.001.md

Evaluate Media Surveys

An influence operation may evaluate its own or third-party media surveys to determine what type of content appeals to its target audience. Media surveys may provide insight into an audience’s political views, social class, general interests, or other indicators used to tailor operation messaging to its target audience.

The tag is: misp-galaxy:disarm-techniques="Evaluate Media Surveys"

Table 1340. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.002.md

Identify Trending Topics/Hashtags

An influence operation may identify trending hashtags on social media platforms for later use in boosting operation content. A hashtag40 refers to a word or phrase preceded by the hash symbol (#) on social media used to identify messages and posts relating to a specific topic. All public posts that use the same hashtag are aggregated onto a centralised page dedicated to the word or phrase and sorted either chronologically or by popularity.

The tag is: misp-galaxy:disarm-techniques="Identify Trending Topics/Hashtags"

Table 1341. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.003.md

Conduct Web Traffic Analysis

An influence operation may conduct web traffic analysis to determine which search engines, keywords, websites, and advertisements gain the most traction with its target audience.

The tag is: misp-galaxy:disarm-techniques="Conduct Web Traffic Analysis"

Table 1342. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.004.md

Assess Degree/Type of Media Access

An influence operation may survey a target audience’s Internet availability and degree of media freedom to determine which target audience members will have access to operation content and on which platforms. An operation may face more difficulty targeting an information environment with heavy restrictions and media control than an environment with independent media, freedom of speech and of the press, and individual liberties.

The tag is: misp-galaxy:disarm-techniques="Assess Degree/Type of Media Access"

Table 1343. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.005.md

Identify Social and Technical Vulnerabilities

Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment. Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives.

The tag is: misp-galaxy:disarm-techniques="Identify Social and Technical Vulnerabilities"

Table 1344. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.md

Find Echo Chambers

Find or plan to create areas (social media groups, search term groups, hashtag groups etc) where individuals only engage with people they agree with.

The tag is: misp-galaxy:disarm-techniques="Find Echo Chambers"

Table 1345. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.001.md

Identify Data Voids

A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.

The tag is: misp-galaxy:disarm-techniques="Identify Data Voids"

Table 1346. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.002.md

Identify Existing Prejudices

An influence operation may exploit existing racial, religious, demographic, or social prejudices to further polarise its target audience from the rest of the public.

The tag is: misp-galaxy:disarm-techniques="Identify Existing Prejudices"

Table 1347. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.003.md

Identify Existing Fissures

An influence operation may identify existing fissures to pit target populations against one another or facilitate a “divide-and-conquer" approach to tailor operation narratives along the divides.

The tag is: misp-galaxy:disarm-techniques="Identify Existing Fissures"

Table 1348. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.004.md

Identify Existing Conspiracy Narratives/Suspicions

An influence operation may assess preexisting conspiracy theories or suspicions in a population to identify existing narratives that support operational objectives.

The tag is: misp-galaxy:disarm-techniques="Identify Existing Conspiracy Narratives/Suspicions"

Table 1349. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.005.md

Identify Wedge Issues

A wedge issue is a divisive political issue, usually concerning a social phenomenon, that divides individuals along a defined line. An influence operation may exploit wedge issues by intentionally polarising the public along the wedge issue line and encouraging opposition between factions.

The tag is: misp-galaxy:disarm-techniques="Identify Wedge Issues"

Table 1350. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.006.md

Identify Target Audience Adversaries

An influence operation may identify or create a real or imaginary adversary to centre operation narratives against. A real adversary may include certain politicians or political parties while imaginary adversaries may include falsified “deep state”62 actors that, according to conspiracies, run the state behind public view.

The tag is: misp-galaxy:disarm-techniques="Identify Target Audience Adversaries"

Table 1351. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.007.md

Identify Media System Vulnerabilities

An influence operation may exploit existing weaknesses in a target’s media system. These weaknesses may include existing biases among media agencies, vulnerability to false news agencies on social media, or existing distrust of traditional media sources. An existing distrust among the public in the media system’s credibility holds high potential for exploitation by an influence operation when establishing alternative news agencies to spread operation content.

The tag is: misp-galaxy:disarm-techniques="Identify Media System Vulnerabilities"

Table 1352. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.008.md

Develop New Narratives

Actors may develop new narratives to further strategic or tactical goals, especially when existing narratives adequately align with the campaign goals. New narratives provide more control in terms of crafting the message to achieve specific goals. However, new narratives may require more effort to disseminate than adapting or adopting existing narratives.

The tag is: misp-galaxy:disarm-techniques="Develop New Narratives"

Table 1353. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0082.md

Integrate Target Audience Vulnerabilities into Narrative

An influence operation may seek to exploit the preexisting weaknesses, fears, and enemies of the target audience for integration into the operation’s narratives and overall strategy. Integrating existing vulnerabilities into the operational approach conserves resources by exploiting already weak areas of the target information environment instead of forcing the operation to create new vulnerabilities in the environment.

The tag is: misp-galaxy:disarm-techniques="Integrate Target Audience Vulnerabilities into Narrative"

Table 1354. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0083.md

Reuse Existing Content

When an operation recycles content from its own previous operations or plagiarises from external operations. An operation may launder information to conserve resources that would have otherwise been utilised to develop new content.

The tag is: misp-galaxy:disarm-techniques="Reuse Existing Content"

Table 1355. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.md

Use Copypasta

Copypasta refers to a piece of text that has been copied and pasted multiple times across various online platforms. A copypasta’s final form may differ from its original source text as users add, delete, or otherwise edit the content as they repost the text.

The tag is: misp-galaxy:disarm-techniques="Use Copypasta"

Table 1356. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.001.md

Plagiarise Content

An influence operation may take content from other sources without proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources.

The tag is: misp-galaxy:disarm-techniques="Plagiarise Content"

Table 1357. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.002.md

Deceptively Labelled or Translated

An influence operation may take authentic content from other sources and add deceptive labels or deceptively translate the content into other langauges.

The tag is: misp-galaxy:disarm-techniques="Deceptively Labelled or Translated"

Table 1358. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.003.md

Appropriate Content

An influence operation may take content from other sources with proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources. Examples include the appropriation of content from one inauthentic news site to another inauthentic news site or network in ways that align with the originators licencing or terms of service.

The tag is: misp-galaxy:disarm-techniques="Appropriate Content"

Table 1359. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.004.md

Develop Text-Based Content

Creating and editing false or misleading text-based artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign.

The tag is: misp-galaxy:disarm-techniques="Develop Text-Based Content"

Table 1360. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.md

Develop AI-Generated Text

AI-generated texts refers to synthetic text composed by computers using text-generating AI technology. Autonomous generation refers to content created by a bot without human input, also known as bot-created content generation. Autonomous generation represents the next step in automation after language generation and may lead to automated journalism. An influence operation may use read fakes or autonomous generation to quickly develop and distribute content to the target audience.

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Text"

Table 1361. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.001.md

Develop Inauthentic News Articles

An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives.

The tag is: misp-galaxy:disarm-techniques="Develop Inauthentic News Articles"

Table 1362. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.003.md

Develop Document

Produce text in the form of a document.

The tag is: misp-galaxy:disarm-techniques="Develop Document"

Table 1363. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.004.md

Develop Book

Produce text content in the form of a book.

This technique covers both e-books and physical books, however, the former is more easily deployed by threat actors given the lower cost to develop.

The tag is: misp-galaxy:disarm-techniques="Develop Book"

Table 1364. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.005.md

Develop Opinion Article

Opinion articles (aka “Op-Eds” or “Editorials”) are articles or regular columns flagged as “opinion” posted to news sources, and can be contributed by people outside the organisation.

Flagging articles as opinions allow news organisations to distinguish them from the typical expectations of objective news reporting while distancing the presented opinion from the organisation or its employees.

The use of this technique is not by itself an indication of malicious or inauthentic content; Op-eds are a common format in media. However, threat actors exploit op-eds to, for example, submit opinion articles to local media to promote their narratives.

Examples from the perspective of a news site involve publishing op-eds from perceived prestigious voices to give legitimacy to an inauthentic publication, or supporting causes by hosting op-eds from actors aligned with the organisation’s goals.

The tag is: misp-galaxy:disarm-techniques="Develop Opinion Article"

Table 1365. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.006.md

Create Fake Research

Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx.

This Technique previously used the ID T0019.001

The tag is: misp-galaxy:disarm-techniques="Create Fake Research"

Table 1366. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.007.md

Develop Image-Based Content

Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies.

The tag is: misp-galaxy:disarm-techniques="Develop Image-Based Content"

Table 1367. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.md

Develop Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

The tag is: misp-galaxy:disarm-techniques="Develop Memes"

Table 1368. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.001.md

Develop AI-Generated Images (Deepfakes)

Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Images (Deepfakes)"

Table 1369. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.002.md

Deceptively Edit Images (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Images (Cheap Fakes)"

Table 1370. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.003.md

Aggregate Information into Evidence Collages

Image files that aggregate positive evidence (Joan Donovan)

The tag is: misp-galaxy:disarm-techniques="Aggregate Information into Evidence Collages"

Table 1371. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.004.md

Develop Video-Based Content

Creating and editing false or misleading video artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include staging videos of purportedly real situations, repurposing existing video artefacts, or using AI-generated video creation and editing technologies (including deepfakes).

The tag is: misp-galaxy:disarm-techniques="Develop Video-Based Content"

Table 1372. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.md

Develop AI-Generated Videos (Deepfakes)

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Videos (Deepfakes)"

Table 1373. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.001.md

Deceptively Edit Video (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Video (Cheap Fakes)"

Table 1374. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.002.md

Develop Audio-Based Content

Creating and editing false or misleading audio artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include creating completely new audio content, repurposing existing audio artefacts (including cheap fakes), or using AI-generated audio creation and editing technologies (including deepfakes).

The tag is: misp-galaxy:disarm-techniques="Develop Audio-Based Content"

Table 1375. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.md

Develop AI-Generated Audio (Deepfakes)

The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Audio (Deepfakes)"

Table 1376. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.001.md

Deceptively Edit Audio (Cheap Fakes)

Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.

The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Audio (Cheap Fakes)"

Table 1377. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.002.md

Obtain Private Documents

Procuring documents that are not publicly available, by whatever means — whether legal or illegal, highly-resourced or less so. These documents can include authentic non-public documents, authentic non-public documents have been altered, or inauthentic documents intended to appear as if they are authentic non-public documents. All of these types of documents can be "leaked" during later stages in the operation.

The tag is: misp-galaxy:disarm-techniques="Obtain Private Documents"

Table 1378. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.md

Obtain Authentic Documents

Procure authentic documents that are not publicly available, by whatever means — whether legal or illegal, highly-resourced or less so. These documents can be "leaked" during later stages in the operation.

The tag is: misp-galaxy:disarm-techniques="Obtain Authentic Documents"

Table 1379. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.001.md

Alter Authentic Documents

Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic and can be "leaked" during later stages in the operation.

The tag is: misp-galaxy:disarm-techniques="Alter Authentic Documents"

Table 1380. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.003.md

Create Inauthentic Accounts

Inauthentic accounts include bot accounts, cyborg accounts, sockpuppet accounts, and anonymous accounts.

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Accounts"

Table 1381. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.md

Create Anonymous Accounts

Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation.

The tag is: misp-galaxy:disarm-techniques="Create Anonymous Accounts"

Table 1382. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.001.md

Create Cyborg Accounts

Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behaviour with human interaction.

The tag is: misp-galaxy:disarm-techniques="Create Cyborg Accounts"

Table 1383. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.002.md

Create Bot Accounts

Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behaviour. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may programme a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources. Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behaviour, complicating their detection.

The tag is: misp-galaxy:disarm-techniques="Create Bot Accounts"

Table 1384. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.003.md

Create Sockpuppet Accounts

Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimise operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation.

The tag is: misp-galaxy:disarm-techniques="Create Sockpuppet Accounts"

Table 1385. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.004.md

Recruit Malign Actors

Operators recruit bad actors paying recruiting, or exerting control over individuals includes trolls, partisans, and contractors.

The tag is: misp-galaxy:disarm-techniques="Recruit Malign Actors"

Table 1386. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.md

Recruit Contractors

Operators recruit paid contractor to support the campaign.

The tag is: misp-galaxy:disarm-techniques="Recruit Contractors"

Table 1387. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.001.md

Recruit Partisans

Operators recruit partisans (ideologically-aligned individuals) to support the campaign.

The tag is: misp-galaxy:disarm-techniques="Recruit Partisans"

Table 1388. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.002.md

Enlist Troll Accounts

An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate. Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organisation, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalised or less organised and work for a single individual.

The tag is: misp-galaxy:disarm-techniques="Enlist Troll Accounts"

Table 1389. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.003.md

Build Network

Operators build their own network, creating links between accounts — whether authentic or inauthentic — in order amplify and promote narratives and artefacts, and encourage further growth of ther network, as well as the ongoing sharing and engagement with operational content.

The tag is: misp-galaxy:disarm-techniques="Build Network"

Table 1390. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.md

Create Organisations

Influence operations may establish organisations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.

The tag is: misp-galaxy:disarm-techniques="Create Organisations"

Table 1391. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.001.md

Use Follow Trains

A follow train is a group of people who follow each other on a social media platform, often as a way for an individual or campaign to grow its social media following. Follow trains may be a violation of platform Terms of Service. They are also known as follow-for-follow groups.

The tag is: misp-galaxy:disarm-techniques="Use Follow Trains"

Table 1392. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.002.md

Create Community or Sub-Group

When there is not an existing community or sub-group that meets a campaign’s goals, an influence operation may seek to create a community or sub-group.

The tag is: misp-galaxy:disarm-techniques="Create Community or Sub-Group"

Table 1393. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.003.md

Acquire/Recruit Network

Operators acquire an existing network by paying, recruiting, or exerting control over the leaders of the existing network.

The tag is: misp-galaxy:disarm-techniques="Acquire/Recruit Network"

Table 1394. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.md

Fund Proxies

An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including: - Diversifying operation locations to complicate attribution - Reducing the workload for direct operation assets

The tag is: misp-galaxy:disarm-techniques="Fund Proxies"

Table 1395. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.001.md

Acquire Botnets

A botnet is a group of bots that can function in coordination with each other.

The tag is: misp-galaxy:disarm-techniques="Acquire Botnets"

Table 1396. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.002.md

Infiltrate Existing Networks

Operators deceptively insert social assets into existing networks as group members in order to influence the members of the network and the wider information environment that the network impacts.

The tag is: misp-galaxy:disarm-techniques="Infiltrate Existing Networks"

Table 1397. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.md

Identify Susceptible Targets in Networks

When seeking to infiltrate an existing network, an influence operation may identify individuals and groups that might be susceptible to being co-opted or influenced.

The tag is: misp-galaxy:disarm-techniques="Identify Susceptible Targets in Networks"

Table 1398. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.001.md

Utilise Butterfly Attacks

Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organisations, and media campaigns.

The tag is: misp-galaxy:disarm-techniques="Utilise Butterfly Attacks"

Table 1399. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.002.md

Develop Owned Media Assets

An owned media asset refers to an agency or organisation through which an influence operation may create, develop, and host content and narratives. Owned media assets include websites, blogs, social media pages, forums, and other platforms that facilitate the creation and organisation of content.

The tag is: misp-galaxy:disarm-techniques="Develop Owned Media Assets"

Table 1400. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0095.md

Leverage Content Farms

Using the services of large-scale content providers for creating and amplifying campaign artefacts at scale.

The tag is: misp-galaxy:disarm-techniques="Leverage Content Farms"

Table 1401. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.md

Create Content Farms

An influence operation may create an organisation for creating and amplifying campaign artefacts at scale.

The tag is: misp-galaxy:disarm-techniques="Create Content Farms"

Table 1402. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.001.md

Outsource Content Creation to External Organisations

An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organisation that can create content in the target audience’s native language. Employed organisations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media.

The tag is: misp-galaxy:disarm-techniques="Outsource Content Creation to External Organisations"

Table 1403. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.002.md

Create Personas

Creating fake people, often with accounts across multiple platforms. These personas can be as simple as a name, can contain slightly more background like location, profile pictures, backstory, or can be effectively backstopped with indicators like fake identity documents.

The tag is: misp-galaxy:disarm-techniques="Create Personas"

Table 1404. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0097.md

Produce Evidence for Persona

People may produce evidence which supports the persona they are deploying (T0097) (aka “backstopping” the persona).

This Technique covers situations where evidence is developed or produced as part of an influence operation to increase the perceived legitimacy of a persona used during IO, including creating accounts for the same persona on multiple platforms.

The use of personas (T0097), and providing evidence to improve people’s perception of one’s persona (T0097.001), are not necessarily malicious or inauthentic. However, sometimes people use personas to increase the perceived legitimacy of narratives for malicious purposes.

This Technique was previously called Backstop Personas.

The tag is: misp-galaxy:disarm-techniques="Produce Evidence for Persona"

Table 1405. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0097.001.md

Establish Inauthentic News Sites

Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda—for instance, click-based revenue—often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.

The tag is: misp-galaxy:disarm-techniques="Establish Inauthentic News Sites"

Table 1406. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.md

Create Inauthentic News Sites

The tag is: misp-galaxy:disarm-techniques="Create Inauthentic News Sites"

Table 1407. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.001.md

Leverage Existing Inauthentic News Sites

The tag is: misp-galaxy:disarm-techniques="Leverage Existing Inauthentic News Sites"

Table 1408. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.002.md

Impersonate Existing Entity

An influence operation may prepare assets impersonating existing entities (both organisations and people) to further conceal its network identity and add a layer of legitimacy to its operation content. Existing entities may include authentic news outlets, public figures, organisations, or state entities.

Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites.

An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account.

This Technique was previously called Prepare Assets Impersonating Legitimate Entities.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Entity"

Table 1409. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.md

Spoof/Parody Account/Site

An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities.

The tag is: misp-galaxy:disarm-techniques="Spoof/Parody Account/Site"

Table 1410. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.002.md

Impersonate Existing Organisation

A situation where a threat actor styles their online assets or content to mimic an existing organisation.

This can be done to take advantage of peoples’ trust in the organisation to increase narrative believability, to smear the organisation, or to make the organisation less trustworthy.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Organisation"

Table 1411. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.003.md

Impersonate Existing Media Outlet

A situation where a threat actor styles their online assets or content to mimic an existing media outlet.

This can be done to take advantage of peoples’ trust in the outlet to increase narrative believability, to smear the outlet, or to make the outlet less trustworthy.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Media Outlet"

Table 1412. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.004.md

Impersonate Existing Official

A situation where a threat actor styles their online assets or content to impersonate an official (including government officials, organisation officials, etc).

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Official"

Table 1413. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.005.md

Impersonate Existing Influencer

A situation where a threat actor styles their online assets or content to impersonate an influencer or celebrity, typically to exploit users’ existing faith in the impersonated target.

The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Influencer"

Table 1414. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.006.md

Co-Opt Trusted Sources

An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites

The tag is: misp-galaxy:disarm-techniques="Co-Opt Trusted Sources"

Table 1415. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.md

Co-Opt Trusted Individuals

The tag is: misp-galaxy:disarm-techniques="Co-Opt Trusted Individuals"

Table 1416. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.001.md

Co-Opt Grassroots Groups

The tag is: misp-galaxy:disarm-techniques="Co-Opt Grassroots Groups"

Table 1417. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.002.md

Co-Opt Influencers

Co-opt Influencers

The tag is: misp-galaxy:disarm-techniques="Co-Opt Influencers"

Table 1418. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.003.md

Create Localised Content

Localised content refers to content that appeals to a specific community of individuals, often in defined geographic areas. An operation may create localised content using local language and dialects to resonate with its target audience and blend in with other local news and social media. Localised content may help an operation increase legitimacy, avoid detection, and complicate external attribution.

The tag is: misp-galaxy:disarm-techniques="Create Localised Content"

Table 1419. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0101.md

Leverage Echo Chambers/Filter Bubbles

An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm’s placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members.

The tag is: misp-galaxy:disarm-techniques="Leverage Echo Chambers/Filter Bubbles"

Table 1420. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.md

Use Existing Echo Chambers/Filter Bubbles

Use existing Echo Chambers/Filter Bubbles

The tag is: misp-galaxy:disarm-techniques="Use Existing Echo Chambers/Filter Bubbles"

Table 1421. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.001.md

Create Echo Chambers/Filter Bubbles

The tag is: misp-galaxy:disarm-techniques="Create Echo Chambers/Filter Bubbles"

Table 1422. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.002.md

Exploit Data Voids

The tag is: misp-galaxy:disarm-techniques="Exploit Data Voids"

Table 1423. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.003.md

Livestream

A livestream refers to an online broadcast capability that allows for real-time communication to closed or open networks.

The tag is: misp-galaxy:disarm-techniques="Livestream"

Table 1424. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.md

Video Livestream

A video livestream refers to an online video broadcast capability that allows for real-time communication to closed or open networks.

The tag is: misp-galaxy:disarm-techniques="Video Livestream"

Table 1425. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.001.md

Audio Livestream

An audio livestream refers to an online audio broadcast capability that allows for real-time communication to closed or open networks.

The tag is: misp-galaxy:disarm-techniques="Audio Livestream"

Table 1426. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.002.md

Social Networks

Social media are interactive digital channels that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks.

The tag is: misp-galaxy:disarm-techniques="Social Networks"

Table 1427. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.md

Mainstream Social Networks

Examples include Facebook, Twitter, LinkedIn, etc.

The tag is: misp-galaxy:disarm-techniques="Mainstream Social Networks"

Table 1428. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.001.md

Dating App

“Dating App” refers to any platform (or platform feature) in which the ostensive purpose is for users to develop a physical/romantic relationship with other users.

Threat Actors can exploit users’ quest for love to trick them into doing things like revealing sensitive information or giving them money.

Examples include Tinder, Bumble, Grindr, Facebook Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, OkCupid, happn, and Mamba.

The tag is: misp-galaxy:disarm-techniques="Dating App"

Table 1429. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.002.md

Private/Closed Social Networks

Social networks that are not open to people outside of family, friends, neighbours, or co-workers. Non-work-related examples include Couple, FamilyWall, 23snaps, and Nextdoor. Some of the larger social network platforms enable closed communities: examples are Instagram Close Friends and Twitter (X) Circle. Work-related examples of private social networks include LinkedIn, Facebook Workplace, and enterprise communication platforms such as Slack or Microsoft Teams.

The tag is: misp-galaxy:disarm-techniques="Private/Closed Social Networks"

Table 1430. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.003.md

Interest-Based Networks

Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.

The tag is: misp-galaxy:disarm-techniques="Interest-Based Networks"

Table 1431. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.004.md

Use Hashtags

Use a dedicated, existing hashtag for the campaign/incident.

The tag is: misp-galaxy:disarm-techniques="Use Hashtags"

Table 1432. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.005.md

Create Dedicated Hashtag

Create a campaign/incident specific hashtag.

The tag is: misp-galaxy:disarm-techniques="Create Dedicated Hashtag"

Table 1433. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.006.md

Media Sharing Networks

Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.

The tag is: misp-galaxy:disarm-techniques="Media Sharing Networks"

Table 1434. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.md

Photo Sharing

Examples include Instagram, Snapchat, Flickr, etc

The tag is: misp-galaxy:disarm-techniques="Photo Sharing"

Table 1435. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.001.md

Video Sharing

Examples include Youtube, TikTok, ShareChat, Rumble, etc

The tag is: misp-galaxy:disarm-techniques="Video Sharing"

Table 1436. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.002.md

Audio Sharing

Examples include podcasting apps, Soundcloud, etc.

The tag is: misp-galaxy:disarm-techniques="Audio Sharing"

Table 1437. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.003.md

Discussion Forums

Platforms for finding, discussing, and sharing information and opinions. Examples include Reddit, Quora, Digg, message boards, interest-based discussion forums, etc.

The tag is: misp-galaxy:disarm-techniques="Discussion Forums"

Table 1438. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0106.md

Anonymous Message Boards

Examples include the Chans

The tag is: misp-galaxy:disarm-techniques="Anonymous Message Boards"

Table 1439. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0106.001.md

Bookmarking and Content Curation

Platforms for searching, sharing, and curating content and media. Examples include Pinterest, Flipboard, etc.

The tag is: misp-galaxy:disarm-techniques="Bookmarking and Content Curation"

Table 1440. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0107.md

Blogging and Publishing Networks

Examples include WordPress, Blogger, Weebly, Tumblr, Medium, etc.

The tag is: misp-galaxy:disarm-techniques="Blogging and Publishing Networks"

Table 1441. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0108.md

Consumer Review Networks

Platforms for finding, reviewing, and sharing information about brands, products, services, restaurants, travel destinations, etc. Examples include Yelp, TripAdvisor, etc.

The tag is: misp-galaxy:disarm-techniques="Consumer Review Networks"

Table 1442. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0109.md

Formal Diplomatic Channels

Leveraging formal, traditional, diplomatic channels to communicate with foreign governments (written documents, meetings, summits, diplomatic visits, etc). This type of diplomacy is conducted by diplomats of one nation with diplomats and other officials of another nation or international organisation.

The tag is: misp-galaxy:disarm-techniques="Formal Diplomatic Channels"

Table 1443. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0110.md

Traditional Media

Examples include TV, Newspaper, Radio, etc.

The tag is: misp-galaxy:disarm-techniques="Traditional Media"

Table 1444. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.md

TV

The tag is: misp-galaxy:disarm-techniques="TV"

Table 1445. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.001.md

Newspaper

The tag is: misp-galaxy:disarm-techniques="Newspaper"

Table 1446. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.002.md

Radio

The tag is: misp-galaxy:disarm-techniques="Radio"

Table 1447. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.003.md

Email

Delivering content and narratives via email. This can include using list management or high-value individually targeted messaging.

The tag is: misp-galaxy:disarm-techniques="Email"

Table 1448. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0112.md

Employ Commercial Analytic Firms

Commercial analytic firms collect data on target audience activities and evaluate the data to detect trends, such as content receiving high click-rates. An influence operation may employ commercial analytic firms to facilitate external collection on its target audience, complicating attribution efforts and better tailoring the content to audience preferences.

The tag is: misp-galaxy:disarm-techniques="Employ Commercial Analytic Firms"

Table 1449. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0113.md

Deliver Ads

Delivering content via any form of paid media or advertising.

The tag is: misp-galaxy:disarm-techniques="Deliver Ads"

Table 1450. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0114.md

Social Media

The tag is: misp-galaxy:disarm-techniques="Social Media"

Table 1451. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0114.001.md

Post Content

Delivering content by posting via owned media (assets that the operator controls).

The tag is: misp-galaxy:disarm-techniques="Post Content"

Table 1452. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.md

Share Memes

The tag is: misp-galaxy:disarm-techniques="Share Memes"

Table 1453. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.001.md

Post Violative Content to Provoke Takedown and Backlash

Post Violative Content to Provoke Takedown and Backlash.

The tag is: misp-galaxy:disarm-techniques="Post Violative Content to Provoke Takedown and Backlash"

Table 1454. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.002.md

One-Way Direct Posting

Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative.

The tag is: misp-galaxy:disarm-techniques="One-Way Direct Posting"

Table 1455. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.003.md

Comment or Reply on Content

Delivering content by replying or commenting via owned media (assets that the operator controls).

The tag is: misp-galaxy:disarm-techniques="Comment or Reply on Content"

Table 1456. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0116.md

Post Inauthentic Social Media Comment

Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.

The tag is: misp-galaxy:disarm-techniques="Post Inauthentic Social Media Comment"

Table 1457. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0116.001.md

Attract Traditional Media

Deliver content by attracting the attention of traditional media (earned media).

The tag is: misp-galaxy:disarm-techniques="Attract Traditional Media"

Table 1458. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0117.md

Amplify Existing Narrative

An influence operation may amplify existing narratives that align with its narratives to support operation objectives.

The tag is: misp-galaxy:disarm-techniques="Amplify Existing Narrative"

Table 1459. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0118.md

Cross-Posting

Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience.

The tag is: misp-galaxy:disarm-techniques="Cross-Posting"

Table 1460. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.md

Post across Groups

An influence operation may post content across groups to spread narratives and content to new communities within the target audiences or to new target audiences.

The tag is: misp-galaxy:disarm-techniques="Post across Groups"

Table 1461. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.001.md

Post across Platform

An influence operation may post content across platforms to spread narratives and content to new communities within the target audiences or to new target audiences. Posting across platforms can also remove opposition and context, helping the narrative spread with less opposition on the cross-posted platform.

The tag is: misp-galaxy:disarm-techniques="Post across Platform"

Table 1462. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.002.md

Post across Disciplines

Post Across Disciplines

The tag is: misp-galaxy:disarm-techniques="Post across Disciplines"

Table 1463. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.003.md

Incentivize Sharing

Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content.

The tag is: misp-galaxy:disarm-techniques="Incentivize Sharing"

Table 1464. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.md

Use Affiliate Marketing Programmes

The tag is: misp-galaxy:disarm-techniques="Use Affiliate Marketing Programmes"

Table 1465. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.001.md

Use Contests and Prizes

The tag is: misp-galaxy:disarm-techniques="Use Contests and Prizes"

Table 1466. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.002.md

Manipulate Platform Algorithm

Manipulating a platform algorithm refers to conducting activity on a platform in a way that intentionally targets its underlying algorithm. After analysing a platform’s algorithm (see: Select Platforms), an influence operation may use a platform in a way that increases its content exposure, avoids content removal, or otherwise benefits the operation’s strategy. For example, an influence operation may use bots to amplify its posts so that the platform’s algorithm recognises engagement with operation content and further promotes the content on user timelines.

The tag is: misp-galaxy:disarm-techniques="Manipulate Platform Algorithm"

Table 1467. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0121.md

Bypass Content Blocking

Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include: - Altering IP addresses to avoid IP filtering - Using a Virtual Private Network (VPN) to avoid IP filtering - Using a Content Delivery Network (CDN) to avoid IP filtering - Enabling encryption to bypass packet inspection blocking - Manipulating text to avoid filtering by keywords - Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering

The tag is: misp-galaxy:disarm-techniques="Bypass Content Blocking"

Table 1468. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0121.001.md

Direct Users to Alternative Platforms

Direct users to alternative platforms refers to encouraging users to move from the platform on which they initially viewed operation content and engage with content on alternate information channels, including separate social media channels and inauthentic websites. An operation may drive users to alternative platforms to diversify its information channels and ensure the target audience knows where to access operation content if the initial platform suspends, flags, or otherwise removes original operation assets and content.

The tag is: misp-galaxy:disarm-techniques="Direct Users to Alternative Platforms"

Table 1469. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0122.md

Control Information Environment through Offensive Cyberspace Operations

Controlling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritise operation messaging or block opposition messaging.

The tag is: misp-galaxy:disarm-techniques="Control Information Environment through Offensive Cyberspace Operations"

Table 1470. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.md

Delete Opposing Content

Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.

The tag is: misp-galaxy:disarm-techniques="Delete Opposing Content"

Table 1471. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.001.md

Block Content

Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes.

The tag is: misp-galaxy:disarm-techniques="Block Content"

Table 1472. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.002.md

Destroy Information Generation Capabilities

Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives.

The tag is: misp-galaxy:disarm-techniques="Destroy Information Generation Capabilities"

Table 1473. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.003.md

Conduct Server Redirect

A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side or client-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.

The tag is: misp-galaxy:disarm-techniques="Conduct Server Redirect"

Table 1474. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.004.md

Suppress Opposition

Operators can suppress the opposition by exploiting platform content moderation tools and processes like reporting non-violative content to platforms for takedown and goading opposition actors into taking actions that result in platform action or target audience disapproval.

The tag is: misp-galaxy:disarm-techniques="Suppress Opposition"

Table 1475. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.md

Report Non-Violative Opposing Content

Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space.

The tag is: misp-galaxy:disarm-techniques="Report Non-Violative Opposing Content"

Table 1476. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.001.md

Goad People into Harmful Action (Stop Hitting Yourself)

Goad people into actions that violate terms of service or will lead to having their content or accounts taken down.

The tag is: misp-galaxy:disarm-techniques="Goad People into Harmful Action (Stop Hitting Yourself)"

Table 1477. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.002.md

Exploit Platform TOS/Content Moderation

The tag is: misp-galaxy:disarm-techniques="Exploit Platform TOS/Content Moderation"

Table 1478. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.003.md

Platform Filtering

Platform filtering refers to the decontextualization of information as claims cross platforms (from Joan Donovan https://www.hks.harvard.edu/publications/disinformation-design-use-evidence-collages-and-platform-filtering-media-manipulation)

The tag is: misp-galaxy:disarm-techniques="Platform Filtering"

Table 1479. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0125.md

Encourage Attendance at Events

Operation encourages attendance at existing real world event.

The tag is: misp-galaxy:disarm-techniques="Encourage Attendance at Events"

Table 1480. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.md

Call to Action to Attend

Call to action to attend an event

The tag is: misp-galaxy:disarm-techniques="Call to Action to Attend"

Table 1481. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.001.md

Facilitate Logistics or Support for Attendance

Facilitate logistics or support for travel, food, housing, etc.

The tag is: misp-galaxy:disarm-techniques="Facilitate Logistics or Support for Attendance"

Table 1482. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.002.md

Physical Violence

Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value.

The tag is: misp-galaxy:disarm-techniques="Physical Violence"

Table 1483. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.md

Conduct Physical Violence

An influence operation may directly Conduct Physical Violence to achieve campaign goals.

The tag is: misp-galaxy:disarm-techniques="Conduct Physical Violence"

Table 1484. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.001.md

Encourage Physical Violence

An influence operation may Encourage others to engage in Physical Violence to achieve campaign goals.

The tag is: misp-galaxy:disarm-techniques="Encourage Physical Violence"

Table 1485. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.002.md

Conceal Information Assets

Conceal the identity or provenance of campaign information assets such as accounts, channels, pages etc. to avoid takedown and attribution.

The tag is: misp-galaxy:disarm-techniques="Conceal Information Assets"

Table 1486. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.md

Use Pseudonyms

An operation may use pseudonyms, or fake names, to mask the identity of operational accounts, channels, pages etc., publish anonymous content, or otherwise use falsified personas to conceal the identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account, channel, or page with the same falsified name.

The tag is: misp-galaxy:disarm-techniques="Use Pseudonyms"

Table 1487. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.001.md

Conceal Network Identity

Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organisation.

The tag is: misp-galaxy:disarm-techniques="Conceal Network Identity"

Table 1488. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.002.md

Distance Reputable Individuals from Operation

Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.

The tag is: misp-galaxy:disarm-techniques="Distance Reputable Individuals from Operation"

Table 1489. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.003.md

Launder Information Assets

Laundering occurs when an influence operation acquires control of previously legitimate information assets such as accounts, channels, pages etc. from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered assets to reach target audience members from within an existing information community and to complicate attribution.

The tag is: misp-galaxy:disarm-techniques="Launder Information Assets"

Table 1490. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.004.md

Change Names of Information Assets

Changing names or brand names of information assets such as accounts, channels, pages etc. An operation may change the names or brand names of its assets throughout an operation to avoid detection or alter the names of newly acquired or repurposed assets to fit operational narratives.

The tag is: misp-galaxy:disarm-techniques="Change Names of Information Assets"

Table 1491. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.005.md

Conceal Operational Activity

Conceal the campaign’s operational activity to avoid takedown and attribution.

The tag is: misp-galaxy:disarm-techniques="Conceal Operational Activity"

Table 1492. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.md

Generate Content Unrelated to Narrative

An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content.

The tag is: misp-galaxy:disarm-techniques="Generate Content Unrelated to Narrative"

Table 1493. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.002.md

Break Association with Content

Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation.

The tag is: misp-galaxy:disarm-techniques="Break Association with Content"

Table 1494. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.003.md

Delete URLs

URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.

The tag is: misp-galaxy:disarm-techniques="Delete URLs"

Table 1495. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.004.md

Coordinate on Encrypted/Closed Networks

Coordinate on encrypted/ closed networks

The tag is: misp-galaxy:disarm-techniques="Coordinate on Encrypted/Closed Networks"

Table 1496. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.005.md

Deny Involvement

Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment.

The tag is: misp-galaxy:disarm-techniques="Deny Involvement"

Table 1497. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.006.md

Delete Accounts/Account Activity

Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artefacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred.

The tag is: misp-galaxy:disarm-techniques="Delete Accounts/Account Activity"

Table 1498. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.007.md

Redirect URLs

An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation’s appearance of legitimacy, complicate attribution, and avoid detection.

The tag is: misp-galaxy:disarm-techniques="Redirect URLs"

Table 1499. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.008.md

Remove Post Origins

Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content.

The tag is: misp-galaxy:disarm-techniques="Remove Post Origins"

Table 1500. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.009.md

Misattribute Activity

Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behaviour.

The tag is: misp-galaxy:disarm-techniques="Misattribute Activity"

Table 1501. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.010.md

Conceal Infrastructure

Conceal the campaign’s infrastructure to avoid takedown and attribution.

The tag is: misp-galaxy:disarm-techniques="Conceal Infrastructure"

Table 1502. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.md

Conceal Sponsorship

Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organisations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language

The tag is: misp-galaxy:disarm-techniques="Conceal Sponsorship"

Table 1503. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.001.md

Utilise Bulletproof Hosting

Hosting refers to services through which storage and computing resources are provided to an individual or organisation for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilise bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend.

The tag is: misp-galaxy:disarm-techniques="Utilise Bulletproof Hosting"

Table 1504. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.002.md

Use Shell Organisations

Use Shell Organisations to conceal sponsorship.

The tag is: misp-galaxy:disarm-techniques="Use Shell Organisations"

Table 1505. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.003.md

Use Cryptocurrency

Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium.

The tag is: misp-galaxy:disarm-techniques="Use Cryptocurrency"

Table 1506. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.004.md

Obfuscate Payment

The tag is: misp-galaxy:disarm-techniques="Obfuscate Payment"

Table 1507. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.005.md

Exploit TOS/Content Moderation

Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions.

The tag is: misp-galaxy:disarm-techniques="Exploit TOS/Content Moderation"

Table 1508. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.md

Legacy Web Content

Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it’s hard to remove or unlikely to be removed.

The tag is: misp-galaxy:disarm-techniques="Legacy Web Content"

Table 1509. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.001.md

Post Borderline Content

The tag is: misp-galaxy:disarm-techniques="Post Borderline Content"

Table 1510. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.002.md

Measure Performance

A metric used to determine the accomplishment of actions. “Are the actions being executed as planned?”

The tag is: misp-galaxy:disarm-techniques="Measure Performance"

Table 1511. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.md

People Focused

Measure the performance individuals in achieving campaign goals

The tag is: misp-galaxy:disarm-techniques="People Focused"

Table 1512. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.001.md

Content Focused

Measure the performance of campaign content

The tag is: misp-galaxy:disarm-techniques="Content Focused"

Table 1513. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.002.md

View Focused

The tag is: misp-galaxy:disarm-techniques="View Focused"

Table 1514. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.003.md

Measure Effectiveness

A metric used to measure a current system state. “Are we on track to achieve the intended new system state within the planned timescale?”

The tag is: misp-galaxy:disarm-techniques="Measure Effectiveness"

Table 1515. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.md

Behaviour Changes

Monitor and evaluate behaviour changes from misinformation incidents.

The tag is: misp-galaxy:disarm-techniques="Behaviour Changes"

Table 1516. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.001.md

Content

Measure current system state with respect to the effectiveness of campaign content.

The tag is: misp-galaxy:disarm-techniques="Content"

Table 1517. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.002.md

Awareness

Measure current system state with respect to the effectiveness of influencing awareness.

The tag is: misp-galaxy:disarm-techniques="Awareness"

Table 1518. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.003.md

Knowledge

Measure current system state with respect to the effectiveness of influencing knowledge.

The tag is: misp-galaxy:disarm-techniques="Knowledge"

Table 1519. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.004.md

Action/Attitude

Measure current system state with respect to the effectiveness of influencing action/attitude.

The tag is: misp-galaxy:disarm-techniques="Action/Attitude"

Table 1520. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.005.md

Measure Effectiveness Indicators (or KPIs)

Ensuring that Key Performance Indicators are identified and tracked, so that the performance and effectiveness of campaigns, and elements of campaigns, can be measured, during and after their execution.

The tag is: misp-galaxy:disarm-techniques="Measure Effectiveness Indicators (or KPIs)"

Table 1521. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.md

Message Reach

Monitor and evaluate message reach in misinformation incidents.

The tag is: misp-galaxy:disarm-techniques="Message Reach"

Table 1522. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.001.md

Social Media Engagement

Monitor and evaluate social media engagement in misinformation incidents.

The tag is: misp-galaxy:disarm-techniques="Social Media Engagement"

Table 1523. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.002.md

Undermine

Weaken, debilitate, or subvert a target or their actions. An influence operation may be designed to disparage an opponent; sabotage an opponent’s systems or processes; compromise an opponent’s relationships or support system; impair an opponent’s capability; or thwart an opponent’s initiative.

The tag is: misp-galaxy:disarm-techniques="Undermine"

Table 1524. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.md

Smear

Denigrate, disparage, or discredit an opponent. This is a common tactical objective in political campaigns with a larger strategic goal. It differs from efforts to harm a target through defamation. If there is no ulterior motive and the sole aim is to cause harm to the target, then choose sub-technique “Defame” of technique “Cause Harm” instead.

The tag is: misp-galaxy:disarm-techniques="Smear"

Table 1525. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.001.md

Thwart

Prevent the successful outcome of a policy, operation, or initiative. Actors conduct influence operations to stymie or foil proposals, plans, or courses of action which are not in their interest.

The tag is: misp-galaxy:disarm-techniques="Thwart"

Table 1526. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.002.md

Subvert

Sabotage, destroy, or damage a system, process, or relationship. The classic example is the Soviet strategy of “active measures” involving deniable covert activities such as political influence, the use of front organisations, the orchestration of domestic unrest, and the spread of disinformation.

The tag is: misp-galaxy:disarm-techniques="Subvert"

Table 1527. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.003.md

Polarise

To cause a target audience to divide into two completely opposing groups. This is a special case of subversion. To divide and conquer is an age-old approach to subverting and overcoming an enemy.

The tag is: misp-galaxy:disarm-techniques="Polarise"

Table 1528. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.004.md

Cultivate Support

Grow or maintain the base of support for the actor, ally, or action. This includes hard core recruitment, managing alliances, and generating or maintaining sympathy among a wider audience, including reputation management and public relations. Sub-techniques assume support for actor (self) unless otherwise specified.

The tag is: misp-galaxy:disarm-techniques="Cultivate Support"

Table 1529. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.md

Defend Reputaton

Preserve a positive perception in the public’s mind following an accusation or adverse event. When accused of a wrongful act, an actor may engage in denial, counter accusations, whataboutism, or conspiracy theories to distract public attention and attempt to maintain a positive image.

The tag is: misp-galaxy:disarm-techniques="Defend Reputaton"

Table 1530. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.001.md

Justify Action

To convince others to exonerate you of a perceived wrongdoing. When an actor finds it untenable to deny doing something, they may attempt to exonerate themselves with disinformation which claims the action was reasonable. This is a special case of “Defend Reputation”.

The tag is: misp-galaxy:disarm-techniques="Justify Action"

Table 1531. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.002.md

Energise Supporters

Raise the morale of those who support the organisation or group. Invigorate constituents with zeal for the mission or activity. Terrorist groups, political movements, and cults may indoctrinate their supporters with ideologies that are based on warped versions of religion or cause harm to others.

The tag is: misp-galaxy:disarm-techniques="Energise Supporters"

Table 1532. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.003.md

Boost Reputation

Elevate the estimation of the actor in the public’s mind. Improve their image or standing. Public relations professionals use persuasive overt communications to achieve this goal; manipulators use covert disinformation.

The tag is: misp-galaxy:disarm-techniques="Boost Reputation"

Table 1533. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.004.md

Cultvate Support for Initiative

Elevate or fortify the public backing for a policy, operation, or idea. Domestic and foreign actors can use artificial means to fabricate or amplify public support for a proposal or action.

The tag is: misp-galaxy:disarm-techniques="Cultvate Support for Initiative"

Table 1534. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.005.md

Cultivate Support for Ally

Elevate or fortify the public backing for a partner. Governments may interfere in other countries’ elections by covertly favouring a party or candidate aligned with their interests. They may also mount an influence operation to bolster the reputation of an ally under attack.

The tag is: misp-galaxy:disarm-techniques="Cultivate Support for Ally"

Table 1535. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.006.md

Recruit Members

Motivate followers to join or subscribe as members of the team. Organisations may mount recruitment drives that use propaganda to entice sympathisers to sign up.

The tag is: misp-galaxy:disarm-techniques="Recruit Members"

Table 1536. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.007.md

Increase Prestige

Improve personal standing within a community. Gain fame, approbation, or notoriety. Conspiracy theorists, those with special access, and ideologues can gain prominence in a community by propagating disinformation, leaking confidential documents, or spreading hate.

The tag is: misp-galaxy:disarm-techniques="Increase Prestige"

Table 1537. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.008.md

Make Money

Profit from disinformation, conspiracy theories, or online harm. In some cases, the sole objective is financial gain, in other cases the objective is both financial and political. Making money may also be a way to sustain a political campaign.

The tag is: misp-galaxy:disarm-techniques="Make Money"

Table 1538. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.md

Generate Ad Revenue

Earn income from digital advertisements published alongside inauthentic content. Conspiratorial, false, or provocative content drives internet traffic. Content owners earn money from impressions of, or clicks on, or conversions of ads published on their websites, social media profiles, or streaming services, or ads published when their content appears in search engine results. Fraudsters simulate impressions, clicks, and conversions, or they spin up inauthentic sites or social media profiles just to generate ad revenue. Conspiracy theorists and political operators generate ad revenue as a byproduct of their operation or as a means of sustaining their campaign.

The tag is: misp-galaxy:disarm-techniques="Generate Ad Revenue"

Table 1539. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.001.md

Scam

Defraud a target or trick a target into doing something that benefits the attacker. A typical scam is where a fraudster convinces a target to pay for something without the intention of ever delivering anything in return. Alternatively, the fraudster may promise benefits which never materialise, such as a fake cure. Criminals often exploit a fear or crisis or generate a sense of urgency. They may use deepfakes to impersonate authority figures or individuals in distress.

The tag is: misp-galaxy:disarm-techniques="Scam"

Table 1540. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.002.md

Raise Funds

Solicit donations for a cause. Popular conspiracy theorists can attract financial contributions from their followers. Fighting back against the establishment is a popular crowdfunding narrative.

The tag is: misp-galaxy:disarm-techniques="Raise Funds"

Table 1541. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.003.md

Sell Items under False Pretences

Offer products for sale under false pretences. Campaigns may hijack or create causes built on disinformation to sell promotional merchandise. Or charlatans may amplify victims’ unfounded fears to sell them items of questionable utility such as supplements or survival gear.

The tag is: misp-galaxy:disarm-techniques="Sell Items under False Pretences"

Table 1542. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.004.md

Extort

Coerce money or favours from a target by threatening to expose or corrupt information. Ransomware criminals typically demand money. Intelligence agencies demand national secrets. Sexual predators demand favours. The leverage may be critical, sensitive, or embarrassing information.

The tag is: misp-galaxy:disarm-techniques="Extort"

Table 1543. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.005.md

Manipulate Stocks

Artificially inflate or deflate the price of stocks or other financial instruments and then trade on these to make profit. The most common securities fraud schemes are called “pump and dump” and “poop and scoop”.

The tag is: misp-galaxy:disarm-techniques="Manipulate Stocks"

Table 1544. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.006.md

Motivate to Act

Persuade, impel, or provoke the target to behave in a specific manner favourable to the attacker. Some common behaviours are joining, subscribing, voting, buying, demonstrating, fighting, retreating, resigning, boycotting.

The tag is: misp-galaxy:disarm-techniques="Motivate to Act"

Table 1545. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.md

Encourage

Inspire, animate, or exhort a target to act. An actor can use propaganda, disinformation, or conspiracy theories to stimulate a target to act in its interest.

The tag is: misp-galaxy:disarm-techniques="Encourage"

Table 1546. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.001.md

Provoke

Instigate, incite, or arouse a target to act. Social media manipulators exploit moral outrage to propel targets to spread hate, take to the streets to protest, or engage in acts of violence.

The tag is: misp-galaxy:disarm-techniques="Provoke"

Table 1547. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.002.md

Compel

Force target to take an action or to stop taking an action it has already started. Actors can use the threat of reputational damage alongside military or economic threats to compel a target.

The tag is: misp-galaxy:disarm-techniques="Compel"

Table 1548. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.003.md

Dissuade from Acting

Discourage, deter, or inhibit the target from actions which would be unfavourable to the attacker. The actor may want the target to refrain from voting, buying, fighting, or supplying.

The tag is: misp-galaxy:disarm-techniques="Dissuade from Acting"

Table 1549. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.md

Discourage

To make a target disinclined or reluctant to act. Manipulators use disinformation to cause targets to question the utility, legality, or morality of taking an action.

The tag is: misp-galaxy:disarm-techniques="Discourage"

Table 1550. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.001.md

Silence

Intimidate or incentivise target into remaining silent or prevent target from speaking out. A threat actor may cow a target into silence as a special case of deterrence. Or they may buy the target’s silence. Or they may repress or restrict the target’s speech.

The tag is: misp-galaxy:disarm-techniques="Silence"

Table 1551. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.002.md

Deter

Prevent target from taking an action for fear of the consequences. Deterrence occurs in the mind of the target, who fears they will be worse off if they take an action than if they don’t. When making threats, aggressors may bluff, feign irrationality, or engage in brinksmanship.

The tag is: misp-galaxy:disarm-techniques="Deter"

Table 1552. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.003.md

Cause Harm

Persecute, malign, or inflict pain upon a target. The objective of a campaign may be to cause fear or emotional distress in a target. In some cases, harm is instrumental to achieving a primary objective, as in coercion, repression, or intimidation. In other cases, harm may be inflicted for the satisfaction of the perpetrator, as in revenge or sadistic cruelty.

The tag is: misp-galaxy:disarm-techniques="Cause Harm"

Table 1553. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.md

Defame

Attempt to damage the target’s personal reputation by impugning their character. This can range from subtle attempts to misrepresent or insinuate, to obvious attempts to denigrate or disparage, to blatant attempts to malign or vilify. Slander applies to oral expression. Libel applies to written or pictorial material. Defamation is often carried out by online trolls. The sole aim here is to cause harm to the target. If the threat actor uses defamation as a means of undermining the target, then choose sub-technique “Smear” of technique “Undermine” instead.

The tag is: misp-galaxy:disarm-techniques="Defame"

Table 1554. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.001.md

Intimidate

Coerce, bully, or frighten the target. An influence operation may use intimidation to compel the target to act against their will. Or the goal may be to frighten or even terrify the target into silence or submission. In some cases, the goal is simply to make the victim suffer.

The tag is: misp-galaxy:disarm-techniques="Intimidate"

Table 1555. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.002.md

Spread Hate

Publish and/or propagate demeaning, derisive, or humiliating content targeting an individual or group of individuals with the intent to cause emotional, psychological, or physical distress. Hate speech can cause harm directly or incite others to harm the target. It often aims to stigmatise the target by singling out immutable characteristics such as colour, race, religion, national or ethnic origin, gender, gender identity, sexual orientation, age, disease, or mental or physical disability. Thus, promoting hatred online may involve racism, antisemitism, Islamophobia, xenophobia, sexism, misogyny, homophobia, transphobia, ageism, ableism, or any combination thereof. Motivations for hate speech range from group preservation to ideological superiority to the unbridled infliction of suffering.

The tag is: misp-galaxy:disarm-techniques="Spread Hate"

Table 1556. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.003.md

Acquire Compromised Asset

Threat Actors may take over existing assets not owned by them through nefarious means, such as using technical exploits, hacking, purchasing compromised accounts from the dark web, or social engineering.

The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Asset"

Table 1557. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.md

Acquire Compromised Account

Threat Actors can take over existing users’ accounts to distribute campaign content.

The actor may maintain the asset’s previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.

The actor may completely rebrand the account to exploit its existing reach, or relying on the account’s history to avoid more stringent automated content moderation rules applied to new accounts.

See also [Mitre ATT&CK’s T1586 Compromise Accounts](https://attack.mitre.org/techniques/T1586/) for more technical information on how threat actors may achieve this objective.

This Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.

The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Account"

Table 1558. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.001.md

Acquire Compromised Website

Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites’ personas are maintained to add credence to threat actors’ narratives.

See also [Mitre ATT&CK’s T1584 Compromise Infrastructure](https://attack.mitre.org/techniques/T1584/) for more technical information on how threat actors may achieve this objective.

The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Website"

Table 1559. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.002.md

Fabricate Grassroots Movement

This technique, sometimes known as "astroturfing", occurs when an influence operation disguises itself as a grassroots movement or organisation that supports operation narratives.

Astroturfing aims to increase the appearance of popular support for an evolving grassroots movement in contrast to "Utilise Butterfly Attacks", which aims to discredit an existing grassroots movement.

This Technique was previously called Astroturfing, and used the ID T0099.001

The tag is: misp-galaxy:disarm-techniques="Fabricate Grassroots Movement"

Table 1560. Table References
Links
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0142.md

Election guidelines

Universal Development and Security Guidelines as Applicable to Election Technology..

Election guidelines is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: NIS Cooperation Group

Tampering with registrations

The tag is: misp-galaxy:guidelines="Tampering with registrations"

Table 1561. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of party/campaign registration, causing them to miss the deadline

The tag is: misp-galaxy:guidelines="DoS or overload of party/campaign registration, causing them to miss the deadline"

Table 1562. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Fabricated signatures from sponsor

The tag is: misp-galaxy:guidelines="Fabricated signatures from sponsor"

Table 1563. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Identity fraud during voter registration

The tag is: misp-galaxy:guidelines="Identity fraud during voter registration"

Table 1564. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Deleting or tampering with voter data

The tag is: misp-galaxy:guidelines="Deleting or tampering with voter data"

Table 1565. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of voter registration system, suppressing voters

The tag is: misp-galaxy:guidelines="DoS or overload of voter registration system, suppressing voters"

Table 1566. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking candidate laptops or email accounts

The tag is: misp-galaxy:guidelines="Hacking candidate laptops or email accounts"

Table 1567. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking campaign websites (defacement, DoS)

The tag is: misp-galaxy:guidelines="Hacking campaign websites (defacement, DoS)"

Table 1568. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Misconfiguration of a website

The tag is: misp-galaxy:guidelines="Misconfiguration of a website"

Table 1569. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Leak of confidential information

The tag is: misp-galaxy:guidelines="Leak of confidential information"

Table 1570. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking/misconfiguration of government servers, communication networks, or endpoints

The tag is: misp-galaxy:guidelines="Hacking/misconfiguration of government servers, communication networks, or endpoints"

Table 1571. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results

Hacking government websites, spreading misinformation on the election process, registered parties/candidates, or results

The tag is: misp-galaxy:guidelines="Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results"

Table 1572. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of government websites

The tag is: misp-galaxy:guidelines="DoS or overload of government websites"

Table 1573. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering or DoS of voting and/or vote confidentiality during or after the elections

The tag is: misp-galaxy:guidelines="Tampering or DoS of voting and/or vote confidentiality during or after the elections"

Table 1574. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Software bug altering results

The tag is: misp-galaxy:guidelines="Software bug altering results"

Table 1575. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering with logs/journals

The tag is: misp-galaxy:guidelines="Tampering with logs/journals"

Table 1576. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Breach of voters privacy during the casting of votes

The tag is: misp-galaxy:guidelines="Breach of voters privacy during the casting of votes"

Table 1577. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering, DoS or overload of the systems used for counting or aggregating results

The tag is: misp-galaxy:guidelines="Tampering, DoS or overload of the systems used for counting or aggregating results"

Table 1578. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering or DoS of communication links uesd to transfer (interim) results

The tag is: misp-galaxy:guidelines="Tampering or DoS of communication links uesd to transfer (interim) results"

Table 1579. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering with supply chain involved in the movement or transfer data

The tag is: misp-galaxy:guidelines="Tampering with supply chain involved in the movement or transfer data"

Table 1580. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking of internal systems used by media or press

The tag is: misp-galaxy:guidelines="Hacking of internal systems used by media or press"

Table 1581. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering, DoS, or overload of media communication links

The tag is: misp-galaxy:guidelines="Tampering, DoS, or overload of media communication links"

Table 1582. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Defacement, DoS or overload of websites or other systems used for publication of the results

The tag is: misp-galaxy:guidelines="Defacement, DoS or overload of websites or other systems used for publication of the results"

Table 1583. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Entity

Description of entities that can be involved in events..

Entity is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

Individual

An individual involved in an event.

The tag is: misp-galaxy:entity="Individual"

Group

A group involved in an event.

The tag is: misp-galaxy:entity="Group"

Employee

A employee involved in an event.

The tag is: misp-galaxy:entity="Employee"

Structure

A structure involved in an event.

The tag is: misp-galaxy:entity="Structure"

Exploit-Kit

Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It’s not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

Exploit-Kit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Kafeine - Will Metcalf - KahuSecurity

Astrum

Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It’s notable by its use of Steganography

The tag is: misp-galaxy:exploit-kit="Astrum"

Astrum is also known as:

Stegano EK

Table 1584. Table References
Links
http://malware.dontneedcoffee.com/2014/09/astrum-ek.html
http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Underminer

Underminer EK is an exploit kit that seems to be used privately against users in Asia. Functionalities: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.

The tag is: misp-galaxy:exploit-kit="Underminer"

Underminer is also known as:

Underminer EK

Table 1585. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/
http://bobao.360.cn/interref/detail/248.html

Fallout

Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.

The tag is: misp-galaxy:exploit-kit="Fallout"

Fallout is also known as:

Fallout

View relationships graph

Fallout has relationships with:

dropped: misp-galaxy:ransomware="GandCrab" with estimative-language:likelihood-probability="almost-certain"

Table 1586. Table References
Links
https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html
https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/
https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/

Bingo

Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia

The tag is: misp-galaxy:exploit-kit="Bingo"

Terror EK

Terror EK is built on Hunter, Sundown and RIG EK code

The tag is: misp-galaxy:exploit-kit="Terror EK"

Terror EK is also known as:

Blaze EK
Neptune EK

Table 1587. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit—More-like-Error-Exploit-Kit/

DealersChoice

DealersChoice is a Flash Player Exploit platform triggered by RTF.

DealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.

The tag is: misp-galaxy:exploit-kit="DealersChoice"

DealersChoice is also known as:

Sednit RTF EK

Table 1588. Table References
Links
http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/
http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

DNSChanger

DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="DNSChanger"

DNSChanger is also known as:

RouterEK

Table 1589. Table References
Links
http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html
https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Novidade

Novidade Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="Novidade"

Novidade is also known as:

DNSGhost

Table 1590. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/

Disdain

Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula

The tag is: misp-galaxy:exploit-kit="Disdain"

Table 1591. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/

Kaixin

Kaixin is an exploit kit mainly seen behind compromised website in Asia

The tag is: misp-galaxy:exploit-kit="Kaixin"

Kaixin is also known as:

CK vip

Table 1592. Table References
Links
http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/
http://www.kahusecurity.com/2012/new-chinese-exploit-pack/

Magnitude

Magnitude EK

The tag is: misp-galaxy:exploit-kit="Magnitude"

Magnitude is also known as:

Popads EK
TopExp
Magniber
Magnitude EK

Table 1593. Table References
Links
http://malware.dontneedcoffee.com/2013/10/Magnitude.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude—aka-PopAds—Exploit-Kit/
http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html
https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

MWI

Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it’s most often connected to semi-targeted attacks

The tag is: misp-galaxy:exploit-kit="MWI"

Table 1594. Table References
Links
https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf

ThreadKit

ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017

The tag is: misp-galaxy:exploit-kit="ThreadKit"

Table 1595. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

VenomKit

VenomKit is the name given to a kit sold since april 2017 as "Word 1day exploit builder" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the "Cobalt Gang"

The tag is: misp-galaxy:exploit-kit="VenomKit"

VenomKit is also known as:

Venom

Table 1596. Table References
Links
https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Taurus Builder

Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user "badbullzvenom".

The tag is: misp-galaxy:exploit-kit="Taurus Builder"

RIG

RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.

The tag is: misp-galaxy:exploit-kit="RIG"

RIG is also known as:

RIG 3
RIG-v
RIG 4
Meadgive

Table 1597. Table References
Links
http://www.kahusecurity.com/2014/rig-exploit-pack/
https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/
https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

Spelevo

Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK

The tag is: misp-galaxy:exploit-kit="Spelevo"

Table 1598. Table References
Links
https://twitter.com/kafeine/status/1103649040800145409

Sednit EK

Sednit EK is the exploit kit used by APT28

The tag is: misp-galaxy:exploit-kit="Sednit EK"

Sednit EK is also known as:

SedKit

Table 1599. Table References
Links
http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

Sundown-P

Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017

The tag is: misp-galaxy:exploit-kit="Sundown-P"

Sundown-P is also known as:

Sundown-Pirate
CaptainBlack

Table 1600. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/

Bizarro Sundown

Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features

The tag is: misp-galaxy:exploit-kit="Bizarro Sundown"

Bizarro Sundown is also known as:

Sundown-b

Table 1601. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/
https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/

Hunter

Hunter EK is an evolution of 3Ros EK

The tag is: misp-galaxy:exploit-kit="Hunter"

Hunter is also known as:

3ROS Exploit Kit

View relationships graph

Hunter has relationships with:

similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

Table 1602. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers

GreenFlash Sundown

GreenFlash Sundown is a variation of Bizarro Sundown without landing

The tag is: misp-galaxy:exploit-kit="GreenFlash Sundown"

GreenFlash Sundown is also known as:

Sundown-GF

Table 1603. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

Angler

The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC

The tag is: misp-galaxy:exploit-kit="Angler"

Angler is also known as:

XXX
AEK
Axpergle

Table 1604. Table References
Links
https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html
http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html

Archie

Archie EK

The tag is: misp-galaxy:exploit-kit="Archie"

Table 1605. Table References
Links
https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit

BlackHole

The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch’s arrest (all activity since then is anecdotal and based on an old leak)

The tag is: misp-galaxy:exploit-kit="BlackHole"

BlackHole is also known as:

BHEK

View relationships graph

BlackHole has relationships with:

similar: misp-galaxy:rat="BlackHole" with estimative-language:likelihood-probability="likely"

Table 1606. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/
https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Bleeding Life

Bleeding Life is an exploit kit that became open source with its version 2

The tag is: misp-galaxy:exploit-kit="Bleeding Life"

Bleeding Life is also known as:

Table 1607. Table References
Links
http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/
http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html

Cool

The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013

The tag is: misp-galaxy:exploit-kit="Cool"

Cool is also known as:

CEK
Styxy Cool

Table 1608. Table References
Links
http://malware.dontneedcoffee.com/2012/10/newcoolek.html
http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html
http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/

Fiesta

Fiesta Exploit Kit

The tag is: misp-galaxy:exploit-kit="Fiesta"

Fiesta is also known as:

NeoSploit
Fiexp

Table 1609. Table References
Links
http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an
http://www.kahusecurity.com/2011/neosploit-is-back/

Empire

The Empire Pack is a variation of RIG operated by a load seller. It’s being fed by many traffic actors

The tag is: misp-galaxy:exploit-kit="Empire"

Empire is also known as:

RIG-E

View relationships graph

Empire has relationships with:

similar: misp-galaxy:tool="Empire" with estimative-language:likelihood-probability="likely"

Table 1610. Table References
Links
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

FlashPack

FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version

The tag is: misp-galaxy:exploit-kit="FlashPack"

FlashPack is also known as:

FlashEK
SafePack
CritXPack
Vintage Pack

Table 1611. Table References
Links
http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html
http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

Glazunov

Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit

The tag is: misp-galaxy:exploit-kit="Glazunov"

Table 1612. Table References
Links
https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/

GrandSoft

GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017

The tag is: misp-galaxy:exploit-kit="GrandSoft"

GrandSoft is also known as:

StampEK
SofosFO

Table 1613. Table References
Links
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html
http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html
https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/

HanJuan

Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015

The tag is: misp-galaxy:exploit-kit="HanJuan"

Table 1614. Table References
Links
http://www.malwaresigs.com/2013/10/14/unknown-ek/
https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/
http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack
https://twitter.com/kafeine/status/562575744501428226

Himan

Himan Exploit Kit

The tag is: misp-galaxy:exploit-kit="Himan"

Himan is also known as:

High Load

Table 1615. Table References
Links
http://malware.dontneedcoffee.com/2013/10/HiMan.html

Impact

Impact EK

The tag is: misp-galaxy:exploit-kit="Impact"

Table 1616. Table References
Links
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html

Infinity

Infinity is an evolution of Redkit

The tag is: misp-galaxy:exploit-kit="Infinity"

Infinity is also known as:

Redkit v2.0
Goon

Table 1617. Table References
Links
http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html
http://www.kahusecurity.com/2014/the-resurrection-of-redkit/

Lightsout

Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex

The tag is: misp-galaxy:exploit-kit="Lightsout"

Table 1618. Table References
Links
http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html
http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html
http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html

Nebula

Nebula Exploit Kit has been built on Sundown source and features an internal TDS

The tag is: misp-galaxy:exploit-kit="Nebula"

Table 1619. Table References
Links
http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

Neutrino

Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.

The tag is: misp-galaxy:exploit-kit="Neutrino"

Neutrino is also known as:

Job314
Neutrino Rebooted
Neutrino-v

View relationships graph

Neutrino has relationships with:

similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"

Table 1620. Table References
Links
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html
http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

Niteris

Niteris was used mainly to target Russian.

The tag is: misp-galaxy:exploit-kit="Niteris"

Niteris is also known as:

CottonCastle

Table 1621. Table References
Links
http://malware.dontneedcoffee.com/2014/06/cottoncastle.html
http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html

Nuclear

The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack

The tag is: misp-galaxy:exploit-kit="Nuclear"

Nuclear is also known as:

NEK
Nuclear Pack
Spartan
Neclu

Table 1622. Table References
Links
http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/

Phoenix

Phoenix Exploit Kit

The tag is: misp-galaxy:exploit-kit="Phoenix"

Phoenix is also known as:

Table 1623. Table References
Links
http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html
http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/

Private Exploit Pack

The tag is: misp-galaxy:exploit-kit="Private Exploit Pack"

Private Exploit Pack is also known as:

Table 1624. Table References
Links
http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html
http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html

Redkit

Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer’s traffic

The tag is: misp-galaxy:exploit-kit="Redkit"

Table 1625. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/
http://malware.dontneedcoffee.com/2012/05/inside-redkit.html
https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

Sakura

Sakura Exploit Kit appeared in 2012 and was adopted by several big actor

The tag is: misp-galaxy:exploit-kit="Sakura"

Table 1626. Table References
Links
http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

SPL

SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV

The tag is: misp-galaxy:exploit-kit="SPL"

SPL is also known as:

SPL_Data
SPLNet
SPL2

Table 1627. Table References
Links
http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/

Sundown

Sundown Exploit Kit is mainly built out of stolen code from other exploit kits

The tag is: misp-galaxy:exploit-kit="Sundown"

Sundown is also known as:

Beps
Xer
Beta

Table 1628. Table References
Links
http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html
https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road

Sweet-Orange

Sweet Orange

The tag is: misp-galaxy:exploit-kit="Sweet-Orange"

Sweet-Orange is also known as:

SWO
Anogre

Table 1629. Table References
Links
http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

Styx

Styx Exploit Kit

The tag is: misp-galaxy:exploit-kit="Styx"

Table 1630. Table References
Links
http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html
https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/
http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html

WhiteHole

WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422

The tag is: misp-galaxy:exploit-kit="WhiteHole"

Table 1631. Table References
Links
http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html

Unknown

Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.

The tag is: misp-galaxy:exploit-kit="Unknown"

Table 1632. Table References
Links
https://twitter.com/kafeine
https://twitter.com/node5
https://twitter.com/kahusecurity

SpelevoEK

The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.

The tag is: misp-galaxy:exploit-kit="SpelevoEK"

Table 1633. Table References
Links
https://cyberwarzone.com/what-is-the-spelevo-exploit-kit/

FIRST CSIRT Services Framework

The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide.

FIRST CSIRT Services Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: FIRST - CIRCL - Jean-Louis Huynen

Service: Monitoring and detection

Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Monitoring and detection"

Service: Event analysis

The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Event analysis"

Service: Information security incident report acceptance

For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Information security incident report acceptance"

Service: Information security incident analysis

This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Information security incident analysis"

Service: Artifact and forensic evidence analysis

The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments—with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not How the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components Which systems have been involved locally and remotely to support the distribution and actions What an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network What a user, user process, or user system did once the user account or user device was compromised What behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination How the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques); What communication architecture (peer-to-peer, command-and-control, both) has been utilized What were the actions of the threat actors, what is their network and systems footprint How the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis reverse engineering runtime or dynamic analysis comparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Artifact and forensic evidence analysis"

Service: Mitigation and recovery

Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Mitigation and recovery"

Service: Information security incident coordination

Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Information security incident coordination"

Service: Crisis management support

While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Crisis management support"

Service: Vulnerability discovery / research

Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability discovery / research"

Service: Vulnerability report intake

One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability report intake"

Service: Vulnerability analysis

The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD) process.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability analysis"

Service: Vulnerability coordination

The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability coordination"

Service: Vulnerability disclosure

Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability disclosure"

Service: Vulnerability response

The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability response"

Service: Data acquisition

Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Data acquisition"

Service: Analysis and synthesis

The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Analysis and synthesis"

Service: Communication

The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Communication"

Service: Awareness building

This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Awareness building"

Service: Training and education

A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness help the constituency understand the changing landscape and threats facilitate information exchange between the CSIRT and its constituency train the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Training and education"

Service: Exercises

Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise. test operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness. Train: Instruct staff on new tools, techniques, and procedures:

Exercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency. Assess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness. Verify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Exercises"

Service: Technical and policy advisory

Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.

The tag is: misp-galaxy:first-csirt-services-framework="Service: Technical and policy advisory"

Function: Log and sensor management

Sensors and log sources need operational management throughout their lifecycle. They must be deployed, onboarded, and decommissioned. Outages, data quality/scope, and configuration issues must be identified and resolved. Sensors that have some form of configuration such as pattern definitions need their configuration maintained in order to remain effective. Sensors may also include external detection services or Open Source Intelligence (OSINT) sources, if they form the basis for detection use cases.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Log and sensor management"

Function: Detection use case management

New detection approaches are developed, tested, and improved, and eventually onboarded into a detection use case in production. Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs). Use cases that do not perform well, i.e., that have an unfavorable benefit/effort ratio, need to be improved, redefined, or abandoned. The portfolio of detection use cases should be expanded in a risk-oriented way and in coordination with preventive controls.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Detection use case management"

Function: Contextual data management

The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Contextual data management"

Function: Correlation

Potential information security incidents pertaining to the same assets (e.g., systems, services, customers) or identities (e.g., users), or which are otherwise directly related to other potential information security incidents are grouped together and escalated as a single information security incident in order to avoid duplicate efforts. New potential information security incidents directly related to ongoing information security incidents are assigned to that information security incident instead of opening a new, separate information security incident.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Correlation"

Function: Qualification

Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Qualification"

Function: Information security incident report receipt

Effective intake of information security incident reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (e.g., finders, researchers, ISACs, other CSIRTs). Information security incident reports may include affected devices/networks/users/organizations, conditions already identified like exploited vulnerabilities, impact both on technical and business level, and actions that have been taken to start remediation and/or mitigation steps and potentially resolution. Occasionally, information security incident information may be received jointly as part of the input to other services, most namely the Vulnerability Report Intake (e.g., if an information security incident is reported that has been identified while analyzing a vulnerability report). Automatically submitted reports might or might not be acknowledged pending further choices of the implemented interfaces and protocols.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident report receipt"

Function: Information security incident triage and processing

Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm). It is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s). Unless there is a reason to decline an information security incident report or the report has been forwarded to another entity responsible for its handling, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident triage and processing"

Function: Information security incident triage (prioritization and categorization)

The Analyzing Information Security Incidents service begins with a review of the available information to categorize, prioritize, and assess the impact an information security incident has on the involved systems relevant to the CSIRT’s mandate. Some of this may have been documented during the Information Security Incident Report Triage and Processing function (of the Information Security Incident Report Intake service) if the information security incident was reported to the CSIRT by a constituent or third party. If prior triage has not already been completed, the information security incident may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., a potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area the CSIRT according to its mandate).

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident triage (prioritization and categorization)"

Function: Information collection

Enable the collection of all valuable information to obtain the best understanding of the context, so that the origin and the content of the information can be appropriately evaluated and tagged to be used for any further processing. While collecting information, the agreed sharing policies and limitations of what data can be used in which context or for what form of processing must be accepted and adhered to. Also, the collection mechanisms and procedures must ensure that proper labeling and attribution of sources is used in order to later validate the origins as well as the appropriateness or authenticity.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information collection"

Function: Detailed analysis coordination

As more detailed technical analysis may be required, such analysis may be executed by other experts (inside or outside the host organization or CSIRT) or other third parties (such as a service provider specialized in such analysis). This requires initiating and tracking such activities up to the successful delivery of the desired analysis.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Detailed analysis coordination"

Function: Information security incident root cause analysis

This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access. Depending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident root cause analysis"

Function: Cross-incident correlation

This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Cross-incident correlation"

Function: Media or surface analysis

This function involves identification and characterization of basic information and metadata about artefacts, including but not limited to file types, string outputs, cryptographic hashes, certificates, file sizes, file/directory names. As all available information is gathered and analyzed further, this may be used to review any public/open or private/closed source information repositories to learn more about the artefact or its behavior, as such information can be used to determine the next steps.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Media or surface analysis"

Function: Reverse engineering

To provide a deeper analysis of malware artefacts to include identifying hidden actions and triggering commands. Reverse engineering allows the analyst to dig past any obfuscation and compilation (for binaries) and identify the program, script, or code that makes up the malware, either by uncovering any source code or by disassembling the binary into assembly language and interpreting it. The analyst uncovers all of the machine language exposed functions and actions the malware can perform. Reverse engineering is a deeper analysis that is carried out when surface and runtime analysis do not provide the full information needed.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Reverse engineering"

Function: Run time or dynamic analysis

This function involves understanding of an artifact’s capabilities via observation while running the sample in a real or emulated environment (e.g., sandbox, virtual environment, and hardware or software emulators). Use of a simulated environment captures changes to the host, network traffic, and output from execution. The basic premise is to try to see artefact in operation in as close to a real-life situation as possible.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Run time or dynamic analysis"

Function: Comparative analysis

This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before). Comparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Comparative analysis"

Function: Response plan establishment

Without fully understanding the business impact and requirements to mitigate and recover, no meaningful response will be provided. As there is a conflict of interest—tracking the attack to gain more intelligence vs. containing the attack to avoid further losses—it is necessary to take all interests into consideration and work out a response plan that is plausible to address the known facts and provide the desired outcome within the required timeframe. As with all plans, it must be considered that whenever new analysis results become available, the new findings need to be reviewed. Indeed, the response plan will usually need to be changed to provide continuous orientation and guidance. But without such plan—unless the response is handled by one small organizational group with little requirement of external interfaces or other entities—the activities might not be carried out effectively or efficiently due to a lack of coordination.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Response plan establishment"

Function: Ad hoc measures and containment

The immediate challenge in case of an information security incident is to stop it from spreading. While systems are compromised or malware is active on end user systems, further data losses and more compromises occur. It is usually the main objective of attacks to reach out to specific data and systems, including attacks (including but not limited to lateral movements) to other organizations both inside and outside the organization suffering from the information security incident. Stopping or at least limiting the extent of any malicious activities or further losses requires short-term actions such as blocking or filtering traffic and removing access to specific services or systems, and can also result in the disconnection of critical systems. Denying further access to potentially critical evidence data will allow a full analysis of such evidence. Denying further access to other systems and networks will also limit the exposure from liability as a result of damage done to other organizations. Stopping immediate damage and limiting the extent of malicious activity through short-term tactical actions (for example, blocking or filtering traffic) can also involve regaining control of systems. As long as attackers or active malware have ready access to more systems or networks, no return to normal operation will be possible.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Ad hoc measures and containment"

Function: System restoration

Restore the integrity of affected systems and returning the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality. As business reality usually demands systems return to normal operation as soon as possible, there is a risk that not all means of unauthorized access have been removed successfully. Therefore, unless the analysis results are already available, even returned systems must be carefully monitored and managed. Especially if identified vulnerabilities and weaknesses cannot (yet) be eliminated, improved protection and detection mechanisms need to be applied to avoid the same or similar or types of information security incidents.

The tag is: misp-galaxy:first-csirt-services-framework="Function: System restoration"

Function: Other information security entities support

A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Other information security entities support"

Function: Communication

A CSIRT must account for the most accurate audience as communications are crafted and released. In return, a CSIRT must also be equipped to receive incoming feedback, reports, comments, and questions from a variety of sources based on its own communication. The security policy and the information sharing policy may require information to be handled in a strict manner. The CSIRT must be able to share with stakeholders in a reliable, secure, and private manner, both externally and internally. Non-disclosure agreements must be set up as far in advance as possible and communication resources set up accordingly. As an extension, the concept of “information under embargo” can also be used. Hence, a retention policy must also be established to ensure that both the data used to craft the information and the information itself are properly handled, shared, and kept based on constraints—such as time—until these constraints become void or the information is publicly disclosed. Communication channels can take multiple forms based upon the needs of stakeholders and constituents. All information communicated must be tagged according to the information sharing policy. Traffic Light Protocol may be utilized.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Communication"

Function: Notification distribution

A security incident touches on many internal and potentially external entities and, possibly, systems, and networks. As CSIRTs are a central point for receiving reports of potential information security incidents, they also serve as a hub for notifying authorized points of contact about them. The notification usually will provide not only the appropriate technical details but also information about the expected response and a point of contact for any fellow-up.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Notification distribution"

Function: Relevant information distribution

As the response to an information security incident progresses, more analysis results and reports from potentially other security experts, CSIRTs, or victims become available. It may be helpful to pass some of the information and lessons learned on to the Knowledge Transfer Service Area (if supported) to improve training and technical documents as well as to help create appropriate awareness, especially if new attacks or incident trends are identified.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Relevant information distribution"

Function: Activities coordination

As many entities are potentially involved in responding to an information security incident, it is necessary to track the status of all communication and activities. This involves the actions requested by a CSIRT or requests for sharing of further information as well as requests for technical analysis of artefacts s or the sharing of indicators of compromise, information about other victims, etc. This primarily occurs when the CSIRT is reliant on expertise and resources outside of the direct control of the CSIRT to effectuate the actions necessary to mitigate an incident. But it also occurs inside larger organizations for which an internal CSIRT coordinates the mitigation and recovery activities. By offering bilateral or multilateral coordination, the CSIRT participates in the exchange of information to enable those resources with the ability to take action to do so or to assist others in the detection, protection, or remediation of ongoing activities from attackers and help to close the information security incident.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Activities coordination"

Function: Reporting

Delivering concise and factual information about the current status of activities requested or carried out in response to an information security incident. Instead of waiting to be pulled for such information as part of an ongoing coordinated action as required for any successful response, timely reports are critical to enable effective coordination.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Reporting"

Function: Media communication

Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Media communication"

Function: Information distribution to constituents

As the response to a crisis progresses, information must be distributed and disseminated. As the CSIRT has established such resources for its own purposes, crisis management may see it as appropriate or necessary to use such resources.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information distribution to constituents"

Function: Information security status reporting

The function involves delivering concise and factual information about the current status of cyber security inside the constituency. As a crisis might be used to start other attacks or as occurring attacks might be part of the overall activities leading this crisis, it is very important for the crisis management team to establish complete situational awareness. The CSIRT can provide such situational awareness for its services and constituents. This may either be requested or is expected by standard policies in a time of crisis. In any case, as crisis management is only successful based on the established information flow as it depends on coordinate resources to address the most critical aspects of the crisis, reporting must be timely and accurate. As ongoing information security incidents will require resources to handle them, a decision must be taken to either discontinue the response for the duration of the incident (and allocate the now available resources to other areas) or to carry on. Reasonable decisions can only be taken based on the best situational awareness available.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security status reporting"

Function: Strategic decisions communication

Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over. As the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Strategic decisions communication"

Function: Incident response vulnerability discovery

During the course of analyzing a security incident, information may be discovered that indicates that a vulnerability was exploited by the attacker. An incident may have been enabled through exploitation of a known vulnerability that was previously unpatched or unmitigated; or it may be due to a new (zero-day) vulnerability. Some of this vulnerability information might be received as an output from one of the services of the Information Security Incident Management service area if a vulnerability was exploited as part of an incident. The information can then be passed on to the Vulnerability Triage function or the Vulnerability Analysis service, as appropriate.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Incident response vulnerability discovery"

Function: Public source vulnerability discovery

A CSIRT may initially learn about a new vulnerability from various public sources that announce such information. The sources can include vendor announcements, security websites, mailing lists, vulnerability databases, security conferences, social media, etc. This function may also learn of new vulnerabilities through other third-party sources that may not be completely open to the public, such as through paid subscriptions or premium services where information is shared with only a limited group. Staff may be assigned the responsibility to perform this function and collect information to organize it for further review and sharing. Similar vulnerability information might also be received from the services of the Situational Awareness service area.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Public source vulnerability discovery"

Function: Vulnerability research

This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware. This function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities. The discovery of a new vulnerability as a result of this vulnerability research function may become input to the Incident Response service, Vulnerability Detection function (see sub-functions for Vulnerability Scanning and Vulnerability Penetration Testing).

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability research"

Function: Vulnerability report receipt

Effective intake of vulnerability reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (finders, researchers, vendors, PSIRTs, other CSIRTs or vulnerability coordinators, etc.). Vulnerability information may include affected devices, conditions necessary to exploit the vulnerability, impact (e.g., privilege escalation, data access, etc.), as well as actions taken to resolve the vulnerability, remediation and/or mitigation steps, and resolution. Occasionally, vulnerability information may be received jointly as part of the input to other services, most notably the Information Security Incident Report Intake (e.g., if a vulnerability is reported to be exploited as part of an incident report).

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability report receipt"

Function: Vulnerability report triage and processing

Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists. Unless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability report triage and processing"

Function: Vulnerability triage (validation and categorization)

The Vulnerability Analysis service begins with a review of the available information to categorize, prioritize, and assess whether a vulnerability has some impact on the involved systems and is relevant to the CSIRT’s mandate. Some of this may have been documented during the Vulnerability Report Triage and Processing function (of the Vulnerability Report Intake service) if the vulnerability was reported to the CSIRT by a constituent or third party. If prior triage has not already been completed, the vulnerability may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., the potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area of the CSIRT according to its mandate).

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability triage (validation and categorization)"

Function: Vulnerability root cause analysis

The goal of this analysis is to identify the root cause of the vulnerability, identifying the circumstances that allow a vulnerability to exist, and in which circumstances an attacker can consequently exploit the vulnerability. This analysis may also attempt to understand the weakness(es) leveraged to instigate an incident and the adversarial tradecraft utilized to leverage that weakness. Depending on the nature of the vulnerability, it may be difficult for a CSIRT to perform this function thoroughly. In some cases, this function may have already been performed by the finder or reporter of the vulnerability. In many situations, this function may best be conducted by the product vendor or developer of the affected software or system or their respective PSIRT. It is also possible that a vulnerability is present in more than one product, in which case multiple analyses may be needed of the affected software or systems, requiring coordination with multiple vendors, PSIRTs, or stakeholders.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability root cause analysis"

Function: Vulnerability remediation development

This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework. As part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks. This function will often receive information or input from the affected product’s vendor(s), sometimes as part of the initial report or announcement handled by other services or functions.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability remediation development"

Function: Vulnerability notification/reporting

The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including the affected vendors, developers, PSIRTs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability notification/reporting"

Function: Vulnerability stakeholder coordination

Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability stakeholder coordination"

Function: Vulnerability disclosure policy and infrastructure maintenance

CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability disclosure policy and infrastructure maintenance"

Function: Vulnerability announcement/communication/dissemination

Disclose vulnerability information to defined constituents. The disclosure can be made through any or all of the mechanisms identified in the vulnerability disclosure policy. Dissemination mechanisms can vary depending on the needs or expectations of the target audience. The communication can be in the form of an announcement or security advisory distributed via email or text messaging, a publication posted to a website or social media channel, or other communication forms and channels as appropriate. Content to be included in the disclosure should follow a defined format, which typically can include information such as an overview or description, a unique vulnerability identifier, impact, severity, or CVSS score, resolution (remediation or mitigation), and supporting references or materials.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability announcement/communication/dissemination"

Function: Post-vulnerability disclosure feedback

Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Post-vulnerability disclosure feedback"

Function: Vulnerability detection / scanning

The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability detection / scanning"

Function: Vulnerability remediation

Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability remediation"

Function: Policy aggregation, distillation, and guidance

The collection, aggregation, and distillation of policy establishes the basis of acceptable normal activity. The end result is a context that establishes how the constituency and its infrastructure is supposed to be operating under acceptable conditions. For organizational CSIRTs, context includes understanding the organizations acceptable policies, plans, normal operating conditions, accepted risks, and tradeoffs. Understanding and context establish the basis against which observations can be evaluated.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Policy aggregation, distillation, and guidance"

Function: Asset mapping to functions, roles, actions, and key risks

CSIRT teams need to understand the current cyber security state of a constituency, and have a good understanding of what is acceptable security. They may need to know: Legitimate users of internal and public-facing systems and devices Authorized devices and what they are used for Approved processes and applications, where they are allowed, and how they serve the constituency This information helps establish prioritization of assets that are potentially at risk, which can provide context for incident management activities. The more precise the information available to CSIRT team, the easier it will be to infer security issues and do something about them. Precise information may mean the CSIRT having access to established security policies, current access controls, up-to-date hardware and software inventories, and detailed network diagrams.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Asset mapping to functions, roles, actions, and key risks"

Function: Collection

Information and data collection activities extend beyond feeds providing automated information. Collection includes identifying useful sources such as information-relevant external activities including news from other constituencies, media sources, and other CSIRTs or security organizations, internal activities (e.g., organizational changes), technology developments, external events, political events, attack trends, defensive trends, conferences, available training, and more. The data collection function supports other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also supports functions and activities within these services such as analysis, prediction, response, and risk mitigation. Newly collected information may reveal that an attack on a constituent is more likely than before. External events may expose information that identifies new risks to assets for a period of time or require heightened detection activities. Overall the information helps provide actionable information to aid in decision making and incident handling.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Collection"

Function: Data processing and preparation

Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts. Some analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Data processing and preparation"

Function: Projection and inference

The process of inferring the current state of a situation and making predictions about the possible likely near-term pictures based on the status and dynamics of the collected data. Sometimes the data may quickly show a security issue.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Projection and inference"

Function: Event detection (through alerting and/or hunting)

The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services. CSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Event detection (through alerting and/or hunting)"

Function: Information security incident management decision support

Performing analysis of specific evidence assists in identifying insights to support incident resolution. Sometimes, CSIRTs may focus their situational analysis to support a specific desired outcome such as incident resolution. Certain responses to an incident may affect a situational picture differently, and responders may ask for analysis (e.g., impact, cost, risk of failure) of choices. The decision-making needs of the constituency may change as their situational picture evolves, and the CSIRT team may initiate new analysis processes to assist them. This activity is related to the Incident Management Service Area. Incident Management functions are supported by Situational Awareness and the situational picture may change based upon Incident Management activities.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident management decision support"

Function: Situational impact

This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Situational impact"

Function: Internal and external communication

Once the results of Analyze and Interpret are complete, they can be used to improve decision-making via both internal and external communication processes. Specific pieces of information are distributed based upon who needs to know them. Communication includes the method of delivery and the content that is being delivered. A CSIRT team might communicate new information and how it will change the situational picture. An example of this would be reporting the expected change a new malicious technique it has observed during an incident would have upon a constituent member. It may also include trend information such as the most useful sources of enrichment data and steps in which constituents can use it to improve their own situational awareness.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Internal and external communication"

Function: Reporting and recommendations

Reports and recommendations should clearly indicate the choices and actions faced by constituents, and include analysis of the expected consequences of each choice or action. Communication of findings should include a list of evidence supporting the analysis and the recommendation (if a recommendation is made). The methods used to create the findings should be clearly explained to the audience so they can also judge the claims presented. The CSIRT team may create reports on a single event, a series of events, trends, patterns, possible events, or more to support the needs for their constituency to understand a situational picture.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Reporting and recommendations"

Function: Implementation

In some instances, a CSIRT team may also perform the recommended adjustments to parts of the security infrastructure, for example changing the firewall rules on a particular honey pot based upon situational analysis.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Implementation"

Function: Dissemination / integration / information sharing

This function may include the following sub-functions: using the results of the analysis service in internal and external planning and decision-making processes identifying the right targets to receive the information making the analysis results available ensuring the delivery is successful tracking and reporting on the sharing of information sending relevant information to the Knowledge Transfer service for further use and dissemination

The tag is: misp-galaxy:first-csirt-services-framework="Function: Dissemination / integration / information sharing"

Function: Management of information sharing

This function may include the following sub-functions: providing information to other groups. formatting information for transfer. tracking transfer process and its outcome.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Management of information sharing"

Function: Feedback

This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Feedback"

Function: Research and information aggregation

This function involves researching and aggregating information relevant for building awareness materials and reports, including from outcomes of other services/functions, especially from the Security Event Management, Incident Management, and Situational Awareness service areas.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Research and information aggregation"

Function: Reports and awareness materials development

This function involves developing materials for diverse audiences (technical staff, management, end users, etc.) and in various formats, such as presentations, short videos, cartoons, booklets, technical analysis, trend reports, and annual reports.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Reports and awareness materials development"

Function: Information dissemination

The function involves implementing a process of information dissemination that can help the CSIRT to best deliver its reports and awareness materials to its constituency based on the characteristics of different audiences and content.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Information dissemination"

Function: Outreach

This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Outreach"

Function: Knowledge, skill, and ability requirements gathering

The function involves collecting knowledge, skill, and ability (KSA) needs and the competence of a constituency in regard to determining what training and education should be provided.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Knowledge, skill, and ability requirements gathering"

Function: Educational and training materials development

This function involves building or acquiring content of educational and training materials such as presentations, lectures, demonstrations, simulations, videos, books, booklets, etc.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Educational and training materials development"

Function: Content delivery

This function involves the transfer of knowledge and content to “students.” This can occur via various methods, such as computer-based/online training (CBT/WBT), instructor-led, virtual, conferences, presentations, labs, capture the flag (CTF) competitions, books, online videos, etc.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Content delivery"

Function: Mentoring

A Mentoring program can help provide a formal as well as informal mechanism for the mentor to share with the mentee about education and skill development, insights, and life and career experiences outside of the official reporting relationship and structure of the team. This can involve on-site visits, rotation (exchange), shadowing, and discussing rationale for specific decisions and actions.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Mentoring"

Function: CSIRT staff professional development

Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.

The tag is: misp-galaxy:first-csirt-services-framework="Function: CSIRT staff professional development"

Function: Requirements analysis

Determine the learning objectives and scope of the exercise. Define the specific services, capabilities, and topics to be covered by the exercise. Ensure exercise includes activities and topics that relate to required or desired skills needed by the participants, as well as the processes that should be tested.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Requirements analysis"

Function: Format and environment development

Define the format and platform needed to meet the objectives and deliver the expected outcomes of the exercise.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Format and environment development"

Function: Scenario development

Development of exercise scenarios in support of stakeholder objectives. Deliverables also include instructions and guidance to the participants and exercise managers; these instructions include recommended actions for the participants detailing some/all scenario steps.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Scenario development"

Function: Exercises execution

The function involves performing readiness testing of constituent “students” to test their ability to apply training and perform job or task functions. Can be in the form of real or virtual environments, simulations, field tests, table tops, mock scenarios, or a combination, with injects being provided in a structured manner. This will also help determine the level at which the team is operating, as well as if and where it has room for improvement.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Exercises execution"

Function: Exercise outcome review

Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Exercise outcome review"

Function: Risk management support

Support to activities related to assessing risk or compliance. This may include conducting an actual assessment or providing support to evaluate the results of an assessment.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Risk management support"

Function: Business continuity and disaster recovery planning support

Support the constituency in the activities related to organizational resilience, based on risks identified.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Business continuity and disaster recovery planning support"

Function: Policy support

This function supports the constituency in the development, maintenance, institutionalization, and enforcement of policies, while ensuring they enable and support incident management activities. For internal CSIRTs, this typically includes support for information security and other operating policies. For coordinating and National CSIRTs, this might include support for public policies and new legislation.

The tag is: misp-galaxy:first-csirt-services-framework="Function: Policy support"

Function: Technical advice

This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall. This might include advice on security considerations for acquisition, compliance verification, maintenance, and upgrades internal and external audits of cybersecurity related infrastructures and tools secure software development requirements and secure coding

The tag is: misp-galaxy:first-csirt-services-framework="Function: Technical advice"

FIRST DNS Abuse Techniques Matrix

The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information..

FIRST DNS Abuse Techniques Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: FIRST.org - Andrey Meshkov (AdGuard) - Ángel González (INCIBE-CERT) - Angela Matlapeng (bwCSIRT) - Benedict Addis (Shadowserver) - Brett Carr (Nominet) - Carlos Alvarez (ICANN; founding member) - David Ruefenacht (Infoguard) - Gabriel Andrews (FBI) - John Todd (Quad9; current co-chair of DNS Abuse SIG) - Jonathan Matkowsky (RiskIQ / Microsoft; former co-chair) - Jonathan Spring (CISA; current co-chair of DNS Abuse SIG) - Mark Henderson (IRS) - Mark Svancarek (Microsoft) - Merike Kaeo (Double Shot Security) - Michael Hausding (SWITCH-CERT; former co-chair, current FIRST board member) - Peter Lowe (DNSFilter; current co-chair of DNS Abuse SIG) - Shoko Nakai (JPCERT/CC) - Swapneel Patnekar (Shreshta IT) - Trey Darley (FIRST board; founding member)

DGAs

DGAs - Domain Generation Algorithm

The tag is: misp-galaxy:first-dns="DGAs"

Table 1634. Table References
Links
https://attack.mitre.org/techniques/T1568/002/

Domain name compromise

The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.

The tag is: misp-galaxy:first-dns="Domain name compromise"

Table 1635. Table References
Links
https://www.icann.org/groups/ssac/documents/sac-007-en

Lame delegations

Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.

The tag is: misp-galaxy:first-dns="Lame delegations"

Table 1636. Table References
Links
https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/

DNS cache poisoning

DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver’s cache by injecting false DNS records, causing the resolver to records controlled by the attacker.

The tag is: misp-galaxy:first-dns="DNS cache poisoning"

Table 1637. Table References
Links
https://capec.mitre.org/data/definitions/142.html

DNS rebinding

DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim’s local resources.

The tag is: misp-galaxy:first-dns="DNS rebinding"

Table 1638. Table References
Links
https://capec.mitre.org/data/definitions/275.html

DNS server compromise

Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.

The tag is: misp-galaxy:first-dns="DNS server compromise"

Stub resolver hijacking

The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.

The tag is: misp-galaxy:first-dns="Stub resolver hijacking"

Local recursive resolver hijacking

Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.

The tag is: misp-galaxy:first-dns="Local recursive resolver hijacking"

On-path DNS attack

Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.

The tag is: misp-galaxy:first-dns="On-path DNS attack"

Table 1639. Table References
Links
https://www.imperva.com/learn/application-security/dns-hijacking-redirection/

DoS against the DNS

Multiple systems sending malicious traffic to a target at the same time.

The tag is: misp-galaxy:first-dns="DoS against the DNS"

DNS as a vector for DoS

Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented. These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.

The tag is: misp-galaxy:first-dns="DNS as a vector for DoS"

Table 1640. Table References
Links
https://attack.mitre.org/techniques/T1498/002/

Dynamic DNS resolution

Dynamic DNS resolution (as obfuscation technique) - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control.

The tag is: misp-galaxy:first-dns="Dynamic DNS resolution"

Table 1641. Table References
Links
https://attack.mitre.org/techniques/T1568/

Dynamic DNS resolution: Fast flux

Dynamic DNS resolution: Fast flux (as obfuscation technique) - Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.

The tag is: misp-galaxy:first-dns="Dynamic DNS resolution: Fast flux"

Table 1642. Table References
Links
https://attack.mitre.org/techniques/T1568/001/

Infiltration and exfiltration via the DNS

Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain’s zone file information and configured to receive and respond to the queries sent by the compromised devices.

The tag is: misp-galaxy:first-dns="Infiltration and exfiltration via the DNS"

Malicious registration of (effective) second level domains

For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.

The tag is: misp-galaxy:first-dns="Malicious registration of (effective) second level domains"

Table 1643. Table References
Links
https://capec.mitre.org/data/definitions/630.html

Creation of malicious subdomains under dynamic DNS providers

Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. S

The tag is: misp-galaxy:first-dns="Creation of malicious subdomains under dynamic DNS providers"

Table 1644. Table References
Links
https://en.wikipedia.org/wiki/Dynamic_DNS

Compromise of a non-DNS server to conduct abuse

Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.

The tag is: misp-galaxy:first-dns="Compromise of a non-DNS server to conduct abuse"

Spoofing or otherwise using unregistered domain names

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.

The tag is: misp-galaxy:first-dns="Spoofing or otherwise using unregistered domain names"

Spoofing of a registered domain

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.

The tag is: misp-galaxy:first-dns="Spoofing of a registered domain"

DNS tunneling

DNS tunneling - tunneling another protocol over DNS - The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic.

The tag is: misp-galaxy:first-dns="DNS tunneling"

Table 1645. Table References
Links
https://attack.mitre.org/techniques/T1071/004/

DNS beacons - C2 communication

DNS beacons - C2 communication - Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.

The tag is: misp-galaxy:first-dns="DNS beacons - C2 communication"

GSMA MoTIF

Mobile Threat Intelligence Framework (MoTIF) Principles. .

GSMA MoTIF is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: GSMA

Monitor Radio Interface

The adversaries may monitor radio interface traffic to passively collect information about the radio network configuration or about subscribers in close vicinity of the adversary. (1), (2), (3), (4).

The tag is: misp-galaxy:gsma-motif="Monitor Radio Interface"

Table 1646. Table References
Links
page 14 of page 14 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Kumar, P. et.al. (2021). Murat: Multi-RAT False Base Station Detector (Section IIB) (4) Rupprecht, D. et.al. (2018). On Security Research Towards Future Mobile Network Generations. (Section III D)[(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Kumar, P. et.al. (2021). Murat: Multi-RAT False Base Station Detector (Section IIB) (4) Rupprecht, D. et.al. (2018). On Security Research Towards Future Mobile Network Generations. (Section III D)]

Broadcast Channel

In mobile networks the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the physical cell ID (PCI), neighbouring cells, frequencies used, Tracking Area Codes (TAC). (1), (2), (3), (4)

The tag is: misp-galaxy:gsma-motif="Broadcast Channel"

Table 1647. Table References
Links
page 15 of page 15 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (2) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (3) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (4) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.[(1) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (2) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (3) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (4) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.]

Gather Victim Identity Information

Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. In mobile networks, the adversary wants to obtain information about subscriber and phone identities to conduct more targeted attacks. Subscriber identity can be, for example, MSISDN, IMSI, GUTI, TMSI.

The tag is: misp-galaxy:gsma-motif="Gather Victim Identity Information"

Table 1648. Table References
Links
page 16 of page 16 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts[(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts]
ATT&CK Enterprise: Gather Victim Identity Information (T1589)[ATT&CK Enterprise: Gather Victim Identity Information (T1589)]

Phone and Subscription Information

In mobile networks, targeted attacks towards subscribers have to be done using the subscriber identity. Obtaining the identity would allow the attacker to gather more information or initiate more targeted attacks. The adversary gathers phone or subscription related information about subscriber(s). Examples are phone number (MSISDN), IMSI (International Mobile Subscriber Identity), home mobile network operator, S@T browser availability on the UICC, IMEI (International Mobile Equipment Identity). The data might be acquired through interconnection, social engineering, social media or otherwise. (1)

The tag is: misp-galaxy:gsma-motif="Phone and Subscription Information"

Table 1649. Table References
Links
page 17 of page 17 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts[(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts]
ATT&CK Enterprise: Gather Employee Names (T1589.003),[ATT&CK Enterprise: Gather Employee Names (T1589.003),]

Network Service Scanning

An adversary may discover operator network related information (identifiers). Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. In mobile networks, the adversary wants to obtain information about subscriber, signalling addresses, supported service at a certain server. The scan may take place from the Internet or the interconnection network or the radio network. Often automated mass scanning events take place.

The tag is: misp-galaxy:gsma-motif="Network Service Scanning"

Table 1650. Table References
Links
page 17 of page 17 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) GSMA PRD IR.70 - SMS SS7 Fraud (Public)[(1) GSMA PRD IR.70 - SMS SS7 Fraud (Public)]
ATT&CK Enterprise: Network Service Discovery (T1046), FiGHT: Network Service Scanning (FGT1046) NOTE: These two MITRE techniques are actually the same, however due to an error the FiGHT technique was renamed.[ATT&CK Enterprise: Network Service Discovery (T1046), FiGHT: Network Service Scanning (FGT1046) NOTE: These two MITRE techniques are actually the same, however due to an error the FiGHT technique was renamed.]

Scan Signalling Addresses

By sending signalling messages to the network, the adversary tries to check if mobile network nodes leak node or network related information, or bypasses defences ((1) (2) below). Using this sub-technique as a preparatory step, the adversary can then tune his further attack steps to send specific attack messages based on this scan. Examples are SS7 scans to evaluate if a Global Title is in use or not. The adversary may also probe which PLMN-ID values are accepted by the HPLMN in Diameter Authentication Information Request (AIR).

The tag is: misp-galaxy:gsma-motif="Scan Signalling Addresses"

Table 1651. Table References
Links
page 18 of page 18 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2017). Designated Attacker - Evolving SS7 Attack Tools (2) Enea. (2018). Diameter Signalling Security - Protecting 4G Networks[(1) Enea. (2017). Designated Attacker - Evolving SS7 Attack Tools (2) Enea. (2018). Diameter Signalling Security - Protecting 4G Networks]
ATT&CK Enterprise: IP Block Scanning (T1595.001)[ATT&CK Enterprise: IP Block Scanning (T1595.001)]

Search Closed Sources

Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black markets. Adversaries may search and collect information about the mobile network operator from closed or semi-closed sources. Typical examples are GSMA IR.21, IR.85, FS.30 or T-ISAC, information from insiders or partners. The information acquisition might be done legally or illegally.

The tag is: misp-galaxy:gsma-motif="Search Closed Sources"

Table 1652. Table References
Links
page 19 of page 19 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) (1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166
ATT&CK Enterprise: Search Closed Sources (T1597)[ATT&CK Enterprise: Search Closed Sources (T1597)]

Mobile Network Operator Sources

The adversary may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, suppliers. The adversary may search in closed sources like GSMA roaming database RAEX IR.21 (1), IMEI database (2) or IR.85.

The tag is: misp-galaxy:gsma-motif="Mobile Network Operator Sources"

Table 1653. Table References
Links
page 20 of page 20 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) (1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166

Acquire Infrastructure

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. For example, commercial service providers exist that offer access to signalling infrastructure or sell False Base Station solutions. Use of these infrastructure solutions allows an adversary to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal.

The tag is: misp-galaxy:gsma-motif="Acquire Infrastructure"

Table 1654. Table References
Links
page 20 of page 20 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world.[(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world.]
ATT&CK Enterprise: Acquire Infrastructure (T1583)[ATT&CK Enterprise: Acquire Infrastructure (T1583)]

Core Signalling Infrastructure Access

Adversaries may buy, lease, or rent SS7, Diameter, GTP-C signalling infrastructure access or services that can be used during targeting (1), (2), (3). Targeted attacks to mobile network operators may use ‘surveillance as a service’ specialists to achieve their goals (2). Their attacks often blend in with normal traffic coming from partners of the victim mobile network operator and make attribution difficult. Fraudsters and spammers may use specific partner gateways or access to messaging servers for their purposes.

The tag is: misp-galaxy:gsma-motif="Core Signalling Infrastructure Access"

Table 1655. Table References
Links
page 21 of page 21 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world. (2) CitizenLab. (2020). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. (3) TBIJ. (2021). Swiss tech company boss accused of selling mobile network access for spying. (4) Enea (2021) 5G Network Slicing Security in 5G Core Networks (5) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world. (2) CitizenLab. (2020). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. (3) TBIJ. (2021). Swiss tech company boss accused of selling mobile network access for spying. (4) Enea (2021) 5G Network Slicing Security in 5G Core Networks (5) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem]

Radio Interface Access

Adversaries may buy, lease, or obtain physical access to a mobile operator network base station or use their own rogue cellular base (Stingray) station for launching an attack (2) (3). The adversary could set up a rogue cellular base station infrastructure and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique (1).

The tag is: misp-galaxy:gsma-motif="Radio Interface Access"

Table 1656. Table References
Links
page 22 of page 22 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) DePerry, D. & Ritter T. (2013). I Can Hear You Now - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell. Black Hat USA2013 (2) Wired (2016). Here’s How Much a StingRay Cell Phone Surveillance Tool Costs (3) Alibaba.com. Wholesale imsi catcher 4g For Online Communication[(1) DePerry, D. & Ritter T. (2013). I Can Hear You Now - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell. Black Hat USA2013 (2) Wired (2016). Here’s How Much a StingRay Cell Phone Surveillance Tool Costs (3) Alibaba.com. Wholesale imsi catcher 4g For Online Communication]

Develop Capabilities

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. In mobile networks adversary may develop false base stations (1), mobile exploits, core signalling exploitation tools (2), SIM card exploits, radio exploitation tools and other tools to initiate attacks.

The tag is: misp-galaxy:gsma-motif="Develop Capabilities"

Table 1657. Table References
Links
page 23 of page 23 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO.[(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO.]
ATT&CK Enterprise: Develop Capabilities (T1587).[ATT&CK Enterprise: Develop Capabilities (T1587).]

Mobile Network Tool

Adversary develops special tools for mobile networks that carry out and deliver mobile network targeted exploits. (1) (2)

The tag is: misp-galaxy:gsma-motif="Mobile Network Tool"

Table 1658. Table References
Links
page 24 of page 24 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mobileum. (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mobileum. (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem]
N/A[N/A]

Exploit Interconnection Link

The adversary may get access to the target network via the interconnection interface.

The tag is: misp-galaxy:gsma-motif="Exploit Interconnection Link"

Table 1659. Table References
Links
page 24 of page 24 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal.[(1) P1 Security. (2021). All authentication vectors are not made equal.]

International Direct Signalling Link

The adversary may get access to the target network via a direct signalling link connected to the international exchange.

The tag is: misp-galaxy:gsma-motif="International Direct Signalling Link"

Table 1660. Table References
Links
page 25 of page 25 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) P1 Security. (2021). All authentication vectors are not made equal.[(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) P1 Security. (2021). All authentication vectors are not made equal.]

National Direct Signalling Link

The adversary may get access to the target network via a direct signalling link connected to the national exchange.

The tag is: misp-galaxy:gsma-motif="National Direct Signalling Link"

Table 1661. Table References
Links
page 25 of page 25 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2014). SS7map: mapping vulnerability of the international mobile roaming infrastructure[(1) P1 Security. (2014). SS7map: mapping vulnerability of the international mobile roaming infrastructure]

Exploit via Core Signalling Interface

The adversary may access the target network by exploiting signalling (i.e. control plane) protocols.

The tag is: misp-galaxy:gsma-motif="Exploit via Core Signalling Interface"

Table 1662. Table References
Links
page 26 of page 26 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal.[(1) P1 Security. (2021). All authentication vectors are not made equal.]

SS7 Protocol

The adversary may access the target network by using SS7 protocol.

The tag is: misp-galaxy:gsma-motif="SS7 Protocol"

Table 1663. Table References
Links
page 27 of page 27 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.[(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.]

Diameter Protocol

The adversary may access the target network by using Diameter protocol.

The tag is: misp-galaxy:gsma-motif="Diameter Protocol"

Table 1664. Table References
Links
page 27 of page 27 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.]

HTTPS/2 Protocol

The adversary may access the target network by using HTTPS/2 protocol.

The tag is: misp-galaxy:gsma-motif="HTTPS/2 Protocol"

Table 1665. Table References
Links
page 28 of page 28 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..[(1) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..]

Trusted Relationship

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationship exploits an existing connection that may not be protected or requires more complicated defence mechanisms to detect and prevent unauthorized access to a network. (1) (2)

The tag is: misp-galaxy:gsma-motif="Trusted Relationship"

Table 1666. Table References
Links
page 28 of page 28 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO[(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO]
ATT&CK Enterprise: Trusted Relationship (T1199)[ATT&CK Enterprise: Trusted Relationship (T1199)]

Exploit Interconnection Agreements

The technique can be conducted by malicious partner or adversaries with access to interconnection networks or roaming partner’s mobile network. The adversary can remotely conduct the attacks by launching signalling messages e.g. related to location tracking, communication interception, or subscriber identify retrieval. (1), (2), (3)

The tag is: misp-galaxy:gsma-motif="Exploit Interconnection Agreements"

Table 1667. Table References
Links
page 29 of page 29 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security (2021). All authentication vectors are not made equal. (2) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (3) Lighthouse Reports. (2022). Revealing Europe’s NSO (4) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor[(1) P1 Security (2021). All authentication vectors are not made equal. (2) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (3) Lighthouse Reports. (2022). Revealing Europe’s NSO (4) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor]

Exploit via Radio Interface

Adversaries may use the radio access network to initiate attacks towards the UE or the mobile network.(1) (2) (3) The adversary may leverage vulnerabilities in the protocols that make up the signalling procedures in a radio network, for example network information (SIB1) messages, or the RRC protocol, or NAS protocols to initiate attacks towards the UE or the mobile network.

The tag is: misp-galaxy:gsma-motif="Exploit via Radio Interface"

Table 1668. Table References
Links
page 30 of page 30 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.[(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.]
ATT&CK Mobile: Exploit via Radio Interfaces (T1477). Note: Deprecated[ATT&CK Mobile: Exploit via Radio Interfaces (T1477). Note: Deprecated]

AS Signalling

Adversaries may modify or trigger control plane procedures on the radio interface control plane using Access Stratum (AS) signalling that occurs between the UE and the base station.

The tag is: misp-galaxy:gsma-motif="AS Signalling"

Table 1669. Table References
Links
page 31 of page 31 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks[(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks]

NAS Signalling

Adversaries may modify or trigger Non-Access-Stratum (NAS) signalling related procedures that is generated from a false base station infrastructure. The adversary may impersonate core network elements (such as MME) towards the UE or UE towards the core network elements.

The tag is: misp-galaxy:gsma-motif="NAS Signalling"

Table 1670. Table References
Links
page 32 of page 32 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks[(1) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks]

Radio Broadcast Channel (SIB1)

The adversary leverages the radio broadcast System Information Block1 messages (SIB1) to advertise to the target UEs new cell configuration that in return forces the UE to initiate different procedures like for example, cell re- selection or Tracking Area Update.(1), (2), (3)

The tag is: misp-galaxy:gsma-motif="Radio Broadcast Channel (SIB1)"

Table 1671. Table References
Links
page 32 of page 32 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (2) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.[(1) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (2) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.]

Identify Subscriber

An adversary may obtain a subscriber permanent or temporary identifier via various means. An adversary may obtain the subscriber identifier by using HLR Lookup, or by monitoring the radio interface. An adversary may obtain identifying information from 5G UEs only after the UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International Subscriber Identifier) in the clear over the radio interface. The 5G UE sends an encrypted permanent identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface as part of the initial registration to the 5G network. Some non-UE specific information is part of the Subscriber Permanent Identifier or SUPI and is not encrypted (e.g., home network name).

The tag is: misp-galaxy:gsma-motif="Identify Subscriber"

Table 1672. Table References
Links
page 33 of page 33 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network[(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network]
Subscriber Profile Identifier Discovery: Intercept bid-down SUPI
MITRE FiGHT™ *= This is the same Technique as MITRE FiGHT, however a different name is used, MITRE FiGHT may potentially update in the future[Subscriber Profile Identifier Discovery: Intercept bid-down SUPI
MITRE FiGHT™ *= This is the same Technique as MITRE FiGHT, however a different name is used, MITRE FiGHT may potentially update in the future]

Trigger Subscriber Terminated Activity

The adversary can trigger mobile terminating activity, such as making calls to the subscriber’s profile (1), sending silent SMS (2), or trigger notifications from the instant messengers (1), to trigger paging of the subscriber. The technique can be made more stealthy by using silent phone calls or silent SMSs (2) (3), The adversary can monitor the paging activity in the radio network and use that information to correlate the paging with the for identifying the target subscriber identifier.

The tag is: misp-galaxy:gsma-motif="Trigger Subscriber Terminated Activity"

Table 1673. Table References
Links
page 34 of page 34 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Shaik, A. et al. (2016). Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. (2) Nohl, K. & Munaut, S. (2010) GSM Sniffing. 27th CCC. (3) Hussain, S. et al. (2019) Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.[(1) Shaik, A. et al. (2016). Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. (2) Nohl, K. & Munaut, S. (2010) GSM Sniffing. 27th CCC. (3) Hussain, S. et al. (2019) Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.]
N/A[N/A]

Retrieve Subscriber Identity Information

The adversary can retrieve subscriber information such as the IMSI, MSISDN, SUPI, SUCI etc

The tag is: misp-galaxy:gsma-motif="Retrieve Subscriber Identity Information"

Table 1674. Table References
Links
page 35 of page 35 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network[(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network]
N/A[N/A]

Retrieve Subscriber Network Information

The adversary can retrieve subscriber network information such as the current serving network element(s)

The tag is: misp-galaxy:gsma-motif="Retrieve Subscriber Network Information"

Table 1675. Table References
Links
page 35 of page 35 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network[(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network]
N/A[N/A]

Masquerading

Adversaries may attempt to manipulate parameters in the control signalling to make them appear legitimate or benign to mobile subscribers, end nodes and/or security tools. Masquerading occurs when the parameter value is manipulated or abused for the sake of evading defences, or convincing the target to believe it is communicating with a spoofed entity. A typical masquerading operating is manipulation of the source node address.

The tag is: misp-galaxy:gsma-motif="Masquerading"

Table 1676. Table References
Links
page 36 of page 36 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service.[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service.]
ATT&CK Enterprise: Masquerading (T1036),[ATT&CK Enterprise: Masquerading (T1036),]

Originating Entity Spoofing

The adversary may attempt to manipulate the originating address information, such as Global Title Address, Diameter Host or Realm information for the sake of evading defences. The adversary may attempt to manipulate the configured cell ID on the false base station to configure it to a known cell ID in the network to evade detection.

The tag is: misp-galaxy:gsma-motif="Originating Entity Spoofing"

Table 1677. Table References
Links
page 37 of page 37 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (3) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (3) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor]

Disguise Signalling Messages

The adversary can disguise its signalling messages in order to avoid detection and blocking of their attacks. Examples include using unexpected addresses, unexpected message format or unexpected message encoding.

The tag is: misp-galaxy:gsma-motif="Disguise Signalling Messages"

Table 1678. Table References
Links
page 37 of page 37 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Symsoft & P1 Security. (2018). SS7 and Diameter: Exploit Delivery over signalling protocols. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019[(1) Symsoft & P1 Security. (2018). SS7 and Diameter: Exploit Delivery over signalling protocols. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019]

Unexpected Encoding

The adversary may use an unexpected encoding of the signalling message in order to bypass detection and any defences which may be in place.

The tag is: misp-galaxy:gsma-motif="Unexpected Encoding"

Table 1679. Table References
Links
page 38 of page 38 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Puzankov, K. (2019) Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019[(1) Puzankov, K. (2019) Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019]

Access Subscriber Data

The adversary can collect several types of user-specific data. Such data include, for instance, subscriber identities, subscribed services, subscriber location or status.

The tag is: misp-galaxy:gsma-motif="Access Subscriber Data"

Table 1680. Table References
Links
page 38 of page 38 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019]

Subscriber Authentication Data

The adversary may acquire subscriber authentication information from mobile network registers, such as HLR/HSS/AuC or MSC/VLR, SGSN, MME. For example, the adversary may query subscriber keys, authentication vectors etc. and use this information to tailor further phases of the attack.

The tag is: misp-galaxy:gsma-motif="Subscriber Authentication Data"

Table 1681. Table References
Links
page 39 of page 39 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) P1 Security. (2021). All authentication vectors are not made equal.[(1) P1 Security. (2021). All authentication vectors are not made equal.]

Network Sniffing

Adversaries may sniff network traffic to capture information about an environment, including authentication material, base station configuration and user plane traffic passed over the network.

The tag is: misp-galaxy:gsma-motif="Network Sniffing"

Table 1682. Table References
Links
page 40 of page 40 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Kotuliak, M. et al. (2022) LTrack : Stealthy Tracking of Mobile Phones in LTE[(1) Kotuliak, M. et al. (2022) LTrack : Stealthy Tracking of Mobile Phones in LTE]
Network Sniffing, Technique T1040 - Enterprise
MITRE ATT&CK® Network Sniffing
MITRE FiGHT™ (FGT1040)[Network Sniffing, Technique T1040 - Enterprise
MITRE ATT&CK® Network Sniffing
MITRE FiGHT™ (FGT1040)]

Radio Interface

An adversary may eavesdrop on unencrypted or encrypted traffic to capture information to and from a UE. An adversary may employ a back-to-back false base station to eavesdrop on the communication and relay communication between the intended recipient and the intended source, over the radio interface. The adversary may also passively sniff the radio traffic and capture specific traffic that can be then, if possible, analyzed.(1) When operating a false base station the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the Physical Cell ID (PCI), neighbouring cells, frequencies used, Location Area Codes/Tracking Area Codes (LAC/TAC).(2) The adversary may use methods of capturing control plane or user plane traffic on the radio interface.

The tag is: misp-galaxy:gsma-motif="Radio Interface"

Table 1683. Table References
Links
page 41 of page 41 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (3) P1 Security. (2021). All authentication vectors are not made equal.[(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (3) P1 Security. (2021). All authentication vectors are not made equal.]
Network Sniffing: Radio interface
MITRE FiGHT™ (FGT1040.501)[Network Sniffing: Radio interface
MITRE FiGHT™ (FGT1040.501)]

Locate Subscriber

An adversary may obtain the UE location using radio access or core network. Adversary may employ various means to obtain UE location (coarse, fine) using radio access or core network.

The tag is: misp-galaxy:gsma-motif="Locate Subscriber"

Table 1684. Table References
Links
page 41 of page 41 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019 (3) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe[(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019 (3) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe]
Location Tracking, Technique T1430 - Mobile
MITRE ATT&CK® Locate UE
MITRE FiGHT™ (FGT5012)[Location Tracking, Technique T1430 - Mobile
MITRE ATT&CK® Locate UE
MITRE FiGHT™ (FGT5012)]

Core Network Function Signalling

An adversary in the core network exploits signalling protocols to obtain the location of the UE. User location tracking is part of normal cellular operation. Adversaries with access to core network or a core network function (NF) can misuse signalling protocols (e.g., SS7, GTP and Diameter or the SBI API calls), or exploit vulnerabilities in the signalling plane, in order to obtain location information for a given UE.

The tag is: misp-galaxy:gsma-motif="Core Network Function Signalling"

Table 1685. Table References
Links
page 42 of page 42 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..[(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..]
Locate UE: Core Network Function Signaling
MITRE FiGHT™ (FGT5012.004)[Locate UE: Core Network Function Signaling
MITRE FiGHT™ (FGT5012.004)]

Search Open Websites/Domains

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(1)(2)(3) Adversaries may gather subscription or residence related information about subscriber(s). Examples are phone number (MSISDN), home address, home mobile network operator. Adversaries may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, or suppliers (4).

The tag is: misp-galaxy:gsma-motif="Search Open Websites/Domains"

Table 1686. Table References
Links
page 43 of page 43 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Security Trails. (2019). Exploring Google Hacking Techniques. (3) Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. (4) Holtmanns, S. (2018). Secure Interworking Between Networks in 5G Service Based Architecture. ETSI Security Week 2018.[(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Security Trails. (2019). Exploring Google Hacking Techniques. (3) Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. (4) Holtmanns, S. (2018). Secure Interworking Between Networks in 5G Service Based Architecture. ETSI Security Week 2018.]
Search Open Websites/Domains, Technique T1593 - Enterprise
MITRE ATT&CK® GSMA Non-public materials[Search Open Websites/Domains, Technique T1593 - Enterprise
MITRE ATT&CK® GSMA Non-public materials]

Social Media

Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service)(1). Information from these sources may reveal opportunities for other forms of reconnaissance, establishing operational resources, and/or initial access. Social media sites may contain information about subscriber phone numbers, address etc, which can be used e.g. when installing false base stations in close vicinity of the victim. (2)

The tag is: misp-galaxy:gsma-motif="Social Media"

Table 1687. Table References
Links
page 44 of page 44 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Equifax UK. (2022). The risks of sharing your location on social media.[(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Equifax UK. (2022). The risks of sharing your location on social media.]
Search Open Websites/Domains: Social Media, Sub-technique T1593.001 - Enterprise
MITRE ATT&CK®[Search Open Websites/Domains: Social Media, Sub-technique T1593.001 - Enterprise
MITRE ATT&CK®]

Adversary-in-the-Middle

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (1) (2). Adversaries may leverage the AiTM position to attempt to monitor traffic.

The tag is: misp-galaxy:gsma-motif="Adversary-in-the-Middle"

Table 1688. Table References
Links
page 44 of page 44 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal.[(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal.]
Adversary-in-the-Middle, Technique T1557 - Enterprise
MITRE ATT&CK® Adversary-in-the-Middle
MITRE FiGHT™ (FGT1557)[Adversary-in-the-Middle, Technique T1557 - Enterprise
MITRE ATT&CK® Adversary-in-the-Middle
MITRE FiGHT™ (FGT1557)]

Radio Interface Authentication Relay

An adversary positions itself on the radio interface to capture information to and from the UE. Adversary can deploy a false base station as a back-to-back base station - UE combination to impersonate UE towards the real eNB or core network element (such as MME), and impersonate base station or core network element towards the target UE (1) (2).

The tag is: misp-galaxy:gsma-motif="Radio Interface Authentication Relay"

Table 1689. Table References
Links
page 45 of page 45 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal. (1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal. https://labs.p1sec.com/2021/09/30/all-authentication-vectors-are-not-made-equal/
Adversary-in-the-Middle: Radio interface
MITRE FiGHT™[Adversary-in-the-Middle: Radio interface
MITRE FiGHT™]

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: • Manipulation of development tools • Manipulation of a development environment • Manipulation of source code repositories (public or private) • Manipulation of source code in open-source dependencies • Manipulation of software update/distribution mechanisms • Compromised/infected system images (multiple cases of removable media infected at the factory)(1) (2) • Replacement of legitimate software with modified versions • Sales of modified/counterfeit products to legitimate distributors • Shipment interdiction While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.

The tag is: misp-galaxy:gsma-motif="Supply Chain Compromise"

Table 1690. Table References
Links
page 46 of page 46 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Register. (2023). Millions of mobile phones come pre-infected with Malware (2) Schneider Electric. (2018). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.[(1) The Register. (2023). Millions of mobile phones come pre-infected with Malware (2) Schneider Electric. (2018). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.]
Supply Chain Compromise, Technique T1195 - Enterprise
MITRE ATT&CK®[Supply Chain Compromise, Technique T1195 - Enterprise
MITRE ATT&CK®]

Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

The tag is: misp-galaxy:gsma-motif="Compromise Software Supply Chain"

Table 1691. Table References
Links
page 47 of page 47 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Register (2023). Millions of mobile phones come pre-infected with Malware[(1) The Register (2023). Millions of mobile phones come pre-infected with Malware]
Supply Chain Compromise: Compromise Software Supply Chain, Sub- technique T1195.002 - Enterprise
MITRE ATT&CK®[Supply Chain Compromise: Compromise Software Supply Chain, Sub- technique T1195.002 - Enterprise
MITRE ATT&CK®]

Network Function Service Discovery

An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF.

The tag is: misp-galaxy:gsma-motif="Network Function Service Discovery"

Table 1692. Table References
Links
page 47 of page 47 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield. (2021). Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK. (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield. (2021). Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK. (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem]
Network Function Service Discovery
MITRE FiGHT™ (FGT5003)[Network Function Service Discovery
MITRE FiGHT™ (FGT5003)]

Exploitation for Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.

The tag is: misp-galaxy:gsma-motif="Exploitation for Credential Access"

Table 1693. Table References
Links
page 48 of page 48 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem]
Exploitation for Credential Access, Technique T1212 - Enterprise
MITRE ATT&CK® https://fight.mitre.org/techniques/FGT5003/[Exploitation for Credential Access, Technique T1212 - Enterprise
MITRE ATT&CK® https://fight.mitre.org/techniques/FGT5003/]

Data Manipulation

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

The tag is: misp-galaxy:gsma-motif="Data Manipulation"

Table 1694. Table References
Links
page 49 of page 49 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem]
Data Manipulation, Technique T1565 - Enterprise
MITRE ATT&CK® Data Manipulation
MITRE FiGHT™ (FGT1565)[Data Manipulation, Technique T1565 - Enterprise
MITRE ATT&CK® Data Manipulation
MITRE FiGHT™ (FGT1565)]

Stored Data Manipulation

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data

The tag is: misp-galaxy:gsma-motif="Stored Data Manipulation"

Table 1695. Table References
Links
page 49 of page 49 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf
(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem]
Data Manipulation: Stored Data Manipulation, Sub-technique T1565.001 - Enterprise
MITRE ATT&CK®[Data Manipulation: Stored Data Manipulation, Sub-technique T1565.001 - Enterprise
MITRE ATT&CK®]

Human Layer Kill Chain

Human Layer Kill Chain (HKC) framework.

Human Layer Kill Chain is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Vasilis Katos - Jane Henriksen-Bulmer - Emily Rosenorn-Lanng - Ala Yankouskaya

Research dating platforms and identify vulnerable profiles

The tag is: misp-galaxy:human-layer-kill-chain="Research dating platforms and identify vulnerable profiles"

Identify low value target/employee

The tag is: misp-galaxy:human-layer-kill-chain="Identify low value target/employee"

Analyse emotional vulnerabilities (recent loss, loneliness)

The tag is: misp-galaxy:human-layer-kill-chain="Analyse emotional vulnerabilities (recent loss, loneliness)"

Profile executives

The tag is: misp-galaxy:human-layer-kill-chain="Profile executives"

Create attractive fake profiles with stolen/deepfake photos

The tag is: misp-galaxy:human-layer-kill-chain="Create attractive fake profiles with stolen/deepfake photos"

Create spoofed email

The tag is: misp-galaxy:human-layer-kill-chain="Create spoofed email"

Initial contact and emotional connection

The tag is: misp-galaxy:human-layer-kill-chain="Initial contact and emotional connection"

Establish legitimacy

The tag is: misp-galaxy:human-layer-kill-chain="Establish legitimacy"

Send email

The tag is: misp-galaxy:human-layer-kill-chain="Send email"

Deploy urgency payment request

The tag is: misp-galaxy:human-layer-kill-chain="Deploy urgency payment request"

Deliver ransomware note

The tag is: misp-galaxy:human-layer-kill-chain="Deliver ransomware note"

Build deep emotional dependency

The tag is: misp-galaxy:human-layer-kill-chain="Build deep emotional dependency"

Payment negotiation

The tag is: misp-galaxy:human-layer-kill-chain="Payment negotiation"

Crypto payment support

The tag is: misp-galaxy:human-layer-kill-chain="Crypto payment support"

Request financial help with fabricated emergency

The tag is: misp-galaxy:human-layer-kill-chain="Request financial help with fabricated emergency"

Execute fund transfer

The tag is: misp-galaxy:human-layer-kill-chain="Execute fund transfer"

Delete profile and online presence

The tag is: misp-galaxy:human-layer-kill-chain="Delete profile and online presence"

Intelligence Agencies

List of intelligence agencies.

Intelligence Agencies is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Graham87 - Frietjes - Narky Blert - Pkbwcgs - Girth Summit - InternetArchiveBot - AnomieBOT - GreenMeansGo - MusikBot - Trappist the monk

General Directorate of Intelligence

General Directorate of Intelligence (GDI) – د استخباراتو لوی ریاست

The tag is: misp-galaxy:intelligence-agency="General Directorate of Intelligence"

General Directorate of Intelligence is also known as:

د استخباراتو لوی ریاست

Table 1696. Table References
Links
https://en.wikipedia.org/wiki/General_Directorate_of_Intelligence

National Intelligence Service (Albania)

State Intelligence Service (SHISH) – Sherbimi Informativ Shteteror

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Albania)"

National Intelligence Service (Albania) is also known as:

Sherbimi Informativ Shteteror

Table 1697. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Albania)

Dirección de Observaciones Judiciales

Directorate of Judicial Surveillance (DOJ) – Dirección de Observaciones Judiciales

The tag is: misp-galaxy:intelligence-agency="Dirección de Observaciones Judiciales"

Table 1698. Table References
Links
https://en.wikipedia.org/wiki/Direcci%C3%B3n_de_Observaciones_Judiciales

Servicio Federal de Lucha contra el Narcotráfico

Federal Counternarcotics Service (SEFECONAR) – Servicio Federal de Lucha contra el Narcotráfico

The tag is: misp-galaxy:intelligence-agency="Servicio Federal de Lucha contra el Narcotráfico"

Table 1699. Table References
Links
https://en.wikipedia.org/wiki/Servicio_Federal_de_Lucha_contra_el_Narcotr%C3%A1fico

Inteligencia de la Gendarmería Nacional Argentina

Argentine National Gendarmerie Intelligence (SIGN) – Inteligencia de la Gendarmería Nacional Argentina

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Gendarmería Nacional Argentina"

Table 1700. Table References
Links
https://en.wikipedia.org/wiki/Inteligencia_de_la_Gendarmer%C3%ADa_Nacional_Argentina

Dirección Nacional de Inteligencia Estratégica Militar

National Directorate of Strategic Military Intelligence (DNIEM) – Dirección Nacional de Inteligencia Estratégica Militar

The tag is: misp-galaxy:intelligence-agency="Dirección Nacional de Inteligencia Estratégica Militar"

Table 1701. Table References
Links
https://en.wikipedia.org/wiki/Direcci%C3%B3n_Nacional_de_Inteligencia_Estrat%C3%A9gica_Militar

Inteligencia del Servicio Penitenciario Federal

Federal Penitentiary Service Intelligence – Inteligencia del Servicio Penitenciario Federal

The tag is: misp-galaxy:intelligence-agency="Inteligencia del Servicio Penitenciario Federal"

Table 1702. Table References
Links
https://en.wikipedia.org/wiki/Inteligencia_del_Servicio_Penitenciario_Federal

Inteligencia de la Policía de Seguridad Aeroportuaria

Airport Security Police Intelligence – Inteligencia de la Policía de Seguridad Aeroportuaria

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía de Seguridad Aeroportuaria"

Table 1703. Table References
Links
https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_de_Seguridad_Aeroportuaria

Dirección Nacional de Inteligencia Criminal

National Directorate of Criminal Intelligence (DNIC) – Dirección Nacional de Inteligencia Criminal

The tag is: misp-galaxy:intelligence-agency="Dirección Nacional de Inteligencia Criminal"

Table 1704. Table References
Links
https://en.wikipedia.org/wiki/Direcci%C3%B3n_Nacional_de_Inteligencia_Criminal

Inteligencia de la Policía Federal Argentina

Argentine Federal Police Intelligence – Inteligencia de la Policía Federal Argentina

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía Federal Argentina"

Table 1705. Table References
Links
https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_Federal_Argentina

Inteligencia de la Policía Bonaerense

Buenos Aires Police Intelligence (SIPBA) (Buenos Aires Police Intelligence) – Inteligencia de la Policía Bonaerense

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía Bonaerense"

Table 1706. Table References
Links
https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_Bonaerense

Inteligencia de la Prefectura Naval Argentina

Argentine Naval Prefecture Intelligence (SIPN) – Inteligencia de la Prefectura Naval Argentina

The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Prefectura Naval Argentina"

Table 1707. Table References
Links
https://en.wikipedia.org/wiki/Inteligencia_de_la_Prefectura_Naval_Argentina

Unidad de Inteligencia Financiera (Argentina)

Financial Intelligence Unit (UIF) – Unidad de Inteligencia Financiera

The tag is: misp-galaxy:intelligence-agency="Unidad de Inteligencia Financiera (Argentina)"

Unidad de Inteligencia Financiera (Argentina) is also known as:

Unidad de Inteligencia Financiera

Table 1708. Table References
Links
https://en.wikipedia.org/wiki/Unidad_de_Inteligencia_Financiera_(Argentina)

Central de Reunión de Inteligencia Militar

Military Intelligence Collection Center (CRIM) – Central de Reunión de Inteligencia Militar

The tag is: misp-galaxy:intelligence-agency="Central de Reunión de Inteligencia Militar"

Table 1709. Table References
Links
https://en.wikipedia.org/wiki/Central_de_Reuni%C3%B3n_de_Inteligencia_Militar

Servicio de Inteligencia del Ejército (Argentina)

Army Intelligence Service (SIE) – Servicio de Inteligencia del Ejército

The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia del Ejército (Argentina)"

Servicio de Inteligencia del Ejército (Argentina) is also known as:

Servicio de Inteligencia del Ejército

Table 1710. Table References
Links
https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_del_Ej%C3%A9rcito_(Argentina)

Servicio de Inteligencia Naval (Argentina)

Naval Intelligence Service (SIN) – Servicio de Inteligencia Naval

The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia Naval (Argentina)"

Servicio de Inteligencia Naval (Argentina) is also known as:

Servicio de Inteligencia Naval

Table 1711. Table References
Links
https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_Naval_(Argentina)

Servicio de Inteligencia de la Fuerza Aérea (Argentina)

Air Force Intelligence Service (SIFA) – Servicio de Inteligencia de la Fuerza Aérea

The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia de la Fuerza Aérea (Argentina)"

Servicio de Inteligencia de la Fuerza Aérea (Argentina) is also known as:

Servicio de Inteligencia de la Fuerza Aérea

Table 1712. Table References
Links
https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_de_la_Fuerza_A%C3%A9rea_(Argentina)

National Security Service (Armenia)

National Security Service (NSS)

The tag is: misp-galaxy:intelligence-agency="National Security Service (Armenia)"

Table 1713. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Service_(Armenia)

Australian Security Intelligence Organisation

Australian Security Intelligence Organisation (ASIO)

The tag is: misp-galaxy:intelligence-agency="Australian Security Intelligence Organisation"

Table 1714. Table References
Links
https://en.wikipedia.org/wiki/Australian_Security_Intelligence_Organisation

Australian Secret Intelligence Service

Australian Secret Intelligence Service (ASIS)

The tag is: misp-galaxy:intelligence-agency="Australian Secret Intelligence Service"

Table 1715. Table References
Links
https://en.wikipedia.org/wiki/Australian_Secret_Intelligence_Service

Australian Signals Directorate

Australian Signals Directorate (ASD)

The tag is: misp-galaxy:intelligence-agency="Australian Signals Directorate"

Table 1716. Table References
Links
https://en.wikipedia.org/wiki/Australian_Signals_Directorate

Australian Geospatial-Intelligence Organisation

Australian Geospatial-Intelligence Organisation (AGO)

The tag is: misp-galaxy:intelligence-agency="Australian Geospatial-Intelligence Organisation"

Table 1717. Table References
Links
https://en.wikipedia.org/wiki/Australian_Geospatial-Intelligence_Organisation

Defence Intelligence Organisation

Defence Intelligence Organisation (DIO)

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Organisation"

Table 1718. Table References
Links
https://en.wikipedia.org/wiki/Defence_Intelligence_Organisation

Office of National Intelligence (Australia)

Office of National Intelligence (ONI)

The tag is: misp-galaxy:intelligence-agency="Office of National Intelligence (Australia)"

Table 1719. Table References
Links
https://en.wikipedia.org/wiki/Office_of_National_Intelligence_(Australia)

Heeresnachrichtenamt

Heeresnachrichtenamt (HNA): Army Intelligence Office

The tag is: misp-galaxy:intelligence-agency="Heeresnachrichtenamt"

Heeresnachrichtenamt is also known as:

Army Intelligence Office

Table 1720. Table References
Links
https://en.wikipedia.org/wiki/Heeresnachrichtenamt

Ministry of Defence (Austria)

Abwehramt (AbwA): Counter-Intelligence Office [2]

The tag is: misp-galaxy:intelligence-agency="Ministry of Defence (Austria)"

Ministry of Defence (Austria) is also known as:

Counter-Intelligence Office

Table 1721. Table References
Links
https://en.wikipedia.org/wiki/Ministry_of_Defence_(Austria)#Subordinate_departments

State Security and Intelligence Directorate

Direktion Staatsschutz und Nachrichtendienst (DSN): State Security and Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="State Security and Intelligence Directorate"

Table 1722. Table References
Links
https://en.wikipedia.org/wiki/State_Security_and_Intelligence_Directorate

State Security Service of the Republic of Azerbaijan

State Security Service (Dövlət Təhlükəsizliyi Xidməti)

The tag is: misp-galaxy:intelligence-agency="State Security Service of the Republic of Azerbaijan"

Table 1723. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Service_of_the_Republic_of_Azerbaijan

Foreign Intelligence Service (Azerbaijan)

Foreign Intelligence Service (Xarici Kəşfiyyat Xidməti)

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Azerbaijan)"

Table 1724. Table References
Links
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Azerbaijan)

Financial Monitoring Service (Azerbaijan)

Financial Monitoring Service (Maliyyə Monitorinqi Xidməti)

The tag is: misp-galaxy:intelligence-agency="Financial Monitoring Service (Azerbaijan)"

Table 1725. Table References
Links
https://en.wikipedia.org/wiki/Financial_Monitoring_Service_(Azerbaijan)

Special Branch (Bahamas)

Security and Intelligence Branch (SIB)

The tag is: misp-galaxy:intelligence-agency="Special Branch (Bahamas)"

Table 1726. Table References
Links
https://en.wikipedia.org/wiki/Special_Branch#Bahamas

Financial Intelligence Unit (Bahamas)

Financial Intelligence Unit (FIU)

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Bahamas)"

Table 1727. Table References
Links
https://en.wikipedia.org/wiki/Financial_Intelligence_Unit

National Crime Intelligence Agency (NCIA)

The tag is: misp-galaxy:intelligence-agency="National Crime Intelligence Agency (NCIA)"

National Security Agency (Bahrain)

NSA – National Security Agency

The tag is: misp-galaxy:intelligence-agency="National Security Agency (Bahrain)"

Table 1728. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Agency_(Bahrain)

National Committee for Intelligence Coordination

The tag is: misp-galaxy:intelligence-agency="National Committee for Intelligence Coordination"

Table 1729. Table References
Links
https://en.wikipedia.org/wiki/National_Committee_for_Intelligence_Coordination

National Security Intelligence

National Security Intelligence (NSI)

The tag is: misp-galaxy:intelligence-agency="National Security Intelligence"

Table 1730. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Intelligence

Special Security Force

Special Security Force – Intelligence Bureau (SSF-IB)

The tag is: misp-galaxy:intelligence-agency="Special Security Force"

Table 1731. Table References
Links
https://en.wikipedia.org/wiki/Special_Security_Force

National Security Affairs Cell

National Security Affairs Cell[3]

The tag is: misp-galaxy:intelligence-agency="National Security Affairs Cell"

Table 1732. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Affairs_Cell

Special Branch, Bangladesh Police

Special Branch (SB)

The tag is: misp-galaxy:intelligence-agency="Special Branch, Bangladesh Police"

Table 1733. Table References
Links
https://en.wikipedia.org/wiki/Special_Branch,_Bangladesh_Police

Detective Branch, Bangladesh Police

Detective Branch (DB)

The tag is: misp-galaxy:intelligence-agency="Detective Branch, Bangladesh Police"

Table 1734. Table References
Links
https://en.wikipedia.org/wiki/Detective_Branch,_Bangladesh_Police

Police Bureau of Investigation

Police Bureau of Investigation (PBI)

The tag is: misp-galaxy:intelligence-agency="Police Bureau of Investigation"

Table 1735. Table References
Links
https://en.wikipedia.org/wiki/Police_Bureau_of_Investigation

Criminal Investigation Department (Bangladesh)

Criminal Investigation Department (CID)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Bangladesh)"

Table 1736. Table References
Links
https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Bangladesh)

Counter Terrorism and Transnational Crime

Counter Terrorism and Transnational Crime (CTTC)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism and Transnational Crime"

Table 1737. Table References
Links
https://en.wikipedia.org/wiki/Counter_Terrorism_and_Transnational_Crime

Rapid Action Battalion

Rapid Action Battalion – Intelligence Wing (RAB-IW)

The tag is: misp-galaxy:intelligence-agency="Rapid Action Battalion"

Table 1738. Table References
Links
https://en.wikipedia.org/wiki/Rapid_Action_Battalion

Directorate General of Forces Intelligence

Directorate General of Forces Intelligence (DGFI)

The tag is: misp-galaxy:intelligence-agency="Directorate General of Forces Intelligence"

Table 1739. Table References
Links
https://en.wikipedia.org/wiki/Directorate_General_of_Forces_Intelligence

Counter Terrorism and Intelligence Bureau

Counter Terrorism and Intelligence Bureau (CTIB)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism and Intelligence Bureau"

Table 1740. Table References
Links
https://en.wikipedia.org/wiki/Counter_Terrorism_and_Intelligence_Bureau

National Telecommunication Monitoring Centre

National Telecommunication Monitoring Centre (NTMC)

The tag is: misp-galaxy:intelligence-agency="National Telecommunication Monitoring Centre"

Table 1741. Table References
Links
https://en.wikipedia.org/wiki/National_Telecommunication_Monitoring_Centre

National Board of Revenue

Central Intelligence Unit (CIU)

The tag is: misp-galaxy:intelligence-agency="National Board of Revenue"

Table 1742. Table References
Links
https://en.wikipedia.org/wiki/National_Board_of_Revenue

Bangladesh Financial Intelligence Unit

Bangladesh Financial Intelligence Unit (BFIU)

The tag is: misp-galaxy:intelligence-agency="Bangladesh Financial Intelligence Unit"

Table 1743. Table References
Links
https://en.wikipedia.org/wiki/Bangladesh_Financial_Intelligence_Unit

Digital Security Agency

The tag is: misp-galaxy:intelligence-agency="Digital Security Agency"

Table 1744. Table References
Links
https://en.wikipedia.org/wiki/Digital_Security_Agency

Financial Intelligence Unit (Barbados)

Financial Intelligence Unit (FIU)

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Barbados)"

Table 1745. Table References
Links
https://en.wikipedia.org/wiki/Financial_Intelligence_Unit

Criminal Investigations Department

Criminal Investigations Department (CID)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigations Department"

Table 1746. Table References
Links
https://en.wikipedia.org/wiki/Criminal_Investigations_Department

State Security Committee of the Republic of Belarus

State Security Committee of the Republic of Belarus (KDB/KGB) (State Security Committee)

The tag is: misp-galaxy:intelligence-agency="State Security Committee of the Republic of Belarus"

Table 1747. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Committee_of_the_Republic_of_Belarus

Belgian State Security Service

VSSE (State Security Service)

The tag is: misp-galaxy:intelligence-agency="Belgian State Security Service"

Table 1748. Table References
Links
https://en.wikipedia.org/wiki/Belgian_State_Security_Service

Belgian General Information and Security Service

ADIV / SGRS (ADIV/SGRS) (General Intelligence and Security Service, military intelligence)

The tag is: misp-galaxy:intelligence-agency="Belgian General Information and Security Service"

Table 1749. Table References
Links
https://en.wikipedia.org/wiki/Belgian_General_Information_and_Security_Service

Intelligence-Security Agency of Bosnia and Herzegovina

Intelligence-Security Agency of Bosnia and Herzegovina (OSA)

The tag is: misp-galaxy:intelligence-agency="Intelligence-Security Agency of Bosnia and Herzegovina"

Table 1750. Table References
Links
https://en.wikipedia.org/wiki/Intelligence-Security_Agency_of_Bosnia_and_Herzegovina

Državna Agencija za Istrage i Zaštitu

Državna Agencija za Istrage i Zaštitu (State Investigation and Protection Agency, SIPA)

The tag is: misp-galaxy:intelligence-agency="Državna Agencija za Istrage i Zaštitu"

Table 1751. Table References
Links
https://en.wikipedia.org/wiki/Dr%C5%BEavna_Agencija_za_Istrage_i_Za%C5%A1titu

Directorate of Intelligence and Security

Directorate on Intelligence and Security Services (DISS – Ministry of State President Espionage & Counter Intelligence unit)

The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence and Security"

Table 1752. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Intelligence_and_Security

Brazilian Intelligence Agency

Brazilian Intelligence Agency (ABIN)

The tag is: misp-galaxy:intelligence-agency="Brazilian Intelligence Agency"

Table 1753. Table References
Links
https://en.wikipedia.org/wiki/Brazilian_Intelligence_Agency

Federal Police Department

Federal Police Department (DPF) (counterintelligence agency)

The tag is: misp-galaxy:intelligence-agency="Federal Police Department"

Table 1754. Table References
Links
https://en.wikipedia.org/wiki/Federal_Police_Department

Institutional Security Bureau

Gabinete de Segurança Institucional (Institutional Security Bureau) (GSI) Responds directly to the president’s office and the armed forces. Coordinates some intelligence operations.

The tag is: misp-galaxy:intelligence-agency="Institutional Security Bureau"

Table 1755. Table References
Links
https://en.wikipedia.org/wiki/Institutional_Security_Bureau

Secretaria da Receita Federal do Brasil

Secretaria da Receita Federal do Brasil (Federal Revenue Secretariat) (RFB) (General Coordination for Research and Investigations - Coordenação-Geral de Pesquisa e Investigação - Copei)

The tag is: misp-galaxy:intelligence-agency="Secretaria da Receita Federal do Brasil"

Table 1756. Table References
Links
https://en.wikipedia.org/wiki/Secretaria_da_Receita_Federal_do_Brasil

Internal Security Department (Brunei)

Internal Security Department (Brunei)[4] (internal)

The tag is: misp-galaxy:intelligence-agency="Internal Security Department (Brunei)"

Table 1757. Table References
Links
https://en.wikipedia.org/wiki/Internal_Security_Department_(Brunei)

National Intelligence Service (Bulgaria)

State Intelligence Agency (Държавна агенция „Разузнаване“ (DAR)) – overseas intelligence gathering service under the supervision of the Council of Ministers of Bulgaria

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Bulgaria)"

Table 1758. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Bulgaria)

State Agency for National Security

State Agency for National Security (Държавна агенция за национална сигурност (DANS)) – national security service under the supervision of the Council of Ministers of Bulgaria

The tag is: misp-galaxy:intelligence-agency="State Agency for National Security"

Table 1759. Table References
Links
https://en.wikipedia.org/wiki/State_Agency_for_National_Security

National Intelligence Service (Burundi)

Service national de renseignement (SNR)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Burundi)"

Table 1760. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Burundi)

Canadian Security Intelligence Service

Canadian Security Intelligence Service (CSIS)

The tag is: misp-galaxy:intelligence-agency="Canadian Security Intelligence Service"

Table 1761. Table References
Links
https://en.wikipedia.org/wiki/Canadian_Security_Intelligence_Service

Communications Security Establishment Canada

Communications Security Establishment (CSE)

The tag is: misp-galaxy:intelligence-agency="Communications Security Establishment Canada"

Table 1762. Table References
Links
https://en.wikipedia.org/wiki/Communications_Security_Establishment_Canada

Canadian Forces Military Police

Canadian Forces National Counter-Intelligence Unit (DND) operated by the Canadian Forces Military Police Group

The tag is: misp-galaxy:intelligence-agency="Canadian Forces Military Police"

Table 1763. Table References
Links
https://en.wikipedia.org/wiki/Canadian_Forces_Military_Police

Joint Task Force X

The tag is: misp-galaxy:intelligence-agency="Joint Task Force X"

Criminal Intelligence Service Canada

Criminal Intelligence Service Canada (CISC)

The tag is: misp-galaxy:intelligence-agency="Criminal Intelligence Service Canada"

Table 1764. Table References
Links
https://en.wikipedia.org/wiki/Criminal_Intelligence_Service_Canada

Intelligence Branch

The tag is: misp-galaxy:intelligence-agency="Intelligence Branch"

Table 1765. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Branch

Financial Transactions and Reports Analysis Centre of Canada

Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)

The tag is: misp-galaxy:intelligence-agency="Financial Transactions and Reports Analysis Centre of Canada"

Table 1766. Table References
Links
https://en.wikipedia.org/wiki/Financial_Transactions_and_Reports_Analysis_Centre_of_Canada

Global Affairs Canada

Global Affairs Canada (GAC) Bureau of Intelligence Analysis and Security and Bureau of Economic Intelligence

The tag is: misp-galaxy:intelligence-agency="Global Affairs Canada"

Table 1767. Table References
Links
https://en.wikipedia.org/wiki/Global_Affairs_Canada

Royal Canadian Mounted Police

Royal Canadian Mounted Police (RCMP) Intelligence Division

The tag is: misp-galaxy:intelligence-agency="Royal Canadian Mounted Police"

Table 1768. Table References
Links
https://en.wikipedia.org/wiki/Royal_Canadian_Mounted_Police

Canada Border Services Agency

Canada Border Services Agency (CBSA) Immigrations Intelligence

The tag is: misp-galaxy:intelligence-agency="Canada Border Services Agency"

Table 1769. Table References
Links
https://en.wikipedia.org/wiki/Canada_Border_Services_Agency

Canadian Coast Guard

Canadian Coast Guard (CCG)

The tag is: misp-galaxy:intelligence-agency="Canadian Coast Guard"

Table 1770. Table References
Links
https://en.wikipedia.org/wiki/Canadian_Coast_Guard

Agence nationale de sécurité

Agence nationale de sécurité (ANS)

The tag is: misp-galaxy:intelligence-agency="Agence nationale de sécurité"

Table 1771. Table References
Links
https://en.wikipedia.org/wiki/Agence_nationale_de_s%C3%A9curit%C3%A9

Agencia Nacional de Inteligencia

National Intelligence Agency (ANI) – Agencia Nacional de Inteligencia

The tag is: misp-galaxy:intelligence-agency="Agencia Nacional de Inteligencia"

Table 1772. Table References
Links
https://en.wikipedia.org/wiki/Agencia_Nacional_de_Inteligencia

610 Office

The tag is: misp-galaxy:intelligence-agency="610 Office"

Table 1773. Table References
Links
https://en.wikipedia.org/wiki/610_Office

International Liaison Department of the Chinese Communist Party

International Department (ID)

The tag is: misp-galaxy:intelligence-agency="International Liaison Department of the Chinese Communist Party"

Table 1774. Table References
Links
https://en.wikipedia.org/wiki/International_Liaison_Department_of_the_Chinese_Communist_Party

United Front Work Department

United Front Work Department (UFWD)

The tag is: misp-galaxy:intelligence-agency="United Front Work Department"

Table 1775. Table References
Links
https://en.wikipedia.org/wiki/United_Front_Work_Department

Joint Staff Department of the Central Military Commission Intelligence Bureau

Intelligence Bureau of the General Staff aka 2nd Bureau

The tag is: misp-galaxy:intelligence-agency="Joint Staff Department of the Central Military Commission Intelligence Bureau"

Table 1776. Table References
Links
https://en.wikipedia.org/wiki/Joint_Staff_Department_of_the_Central_Military_Commission_Intelligence_Bureau

People’s Liberation Army Air Force

People’s Liberation Army Air Force (PLAAF)

The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army Air Force"

Table 1777. Table References
Links
https://en.wikipedia.org/wiki/People%27s_Liberation_Army_Air_Force

People’s Liberation Army General Political Department

People’s Liberation Army General Political Department (GND)

The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army General Political Department"

Table 1778. Table References
Links
https://en.wikipedia.org/wiki/People%27s_Liberation_Army_General_Political_Department

People’s Liberation Army General Staff Department

People’s Liberation Army General Staff Department (GSD)

The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army General Staff Department"

Table 1779. Table References
Links
https://en.wikipedia.org/wiki/People%27s_Liberation_Army_General_Staff_Department

PLA Unit 61398

PLA Unit 61398 aka APT 1

The tag is: misp-galaxy:intelligence-agency="PLA Unit 61398"

Table 1780. Table References
Links
https://en.wikipedia.org/wiki/PLA_Unit_61398

State Administration of Foreign Experts Affairs

State Administration of Foreign Experts Affairs (SAFEA)

The tag is: misp-galaxy:intelligence-agency="State Administration of Foreign Experts Affairs"

Table 1781. Table References
Links
https://en.wikipedia.org/wiki/State_Administration_of_Foreign_Experts_Affairs

Ministry of Public Security (China)

Ministry of Public Security (MPS)

The tag is: misp-galaxy:intelligence-agency="Ministry of Public Security (China)"

Table 1782. Table References
Links
https://en.wikipedia.org/wiki/Ministry_of_Public_Security_(China)

Ministry of State Security (China)

Ministry of State Security (MSS)

The tag is: misp-galaxy:intelligence-agency="Ministry of State Security (China)"

Table 1783. Table References
Links
https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)

Office for Safeguarding National Security of the CPG in the HKSAR

Office for Safeguarding National Security of the CPG in the HKSAR (CPGNSO)

The tag is: misp-galaxy:intelligence-agency="Office for Safeguarding National Security of the CPG in the HKSAR"

Table 1784. Table References
Links
https://en.wikipedia.org/wiki/Office_for_Safeguarding_National_Security_of_the_CPG_in_the_HKSAR

National Intelligence Directorate (Colombia)

Dirección Nacional de Inteligencia (DNI)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Directorate (Colombia)"

Table 1785. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Directorate_(Colombia)

National Intelligence Agency (Democratic Republic of the Congo)

National Intelligence Agency (ANR)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Democratic Republic of the Congo)"

Table 1786. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Democratic_Republic_of_the_Congo)

DEMIAP

General Staff of Military intelligence (ex-DEMIAP)

The tag is: misp-galaxy:intelligence-agency="DEMIAP"

Table 1787. Table References
Links
https://en.wikipedia.org/wiki/DEMIAP

Security and Intelligence Agency

Sigurnosno-obavještajna agencija (SOA) (Security and Intelligence Agency)

The tag is: misp-galaxy:intelligence-agency="Security and Intelligence Agency"

Table 1788. Table References
Links
https://en.wikipedia.org/wiki/Security_and_Intelligence_Agency

Vojna sigurnosno-obavještajna agencija

Vojna sigurnosno-obavještajna agencija (VSOA) (Military Security and Intelligence Agency)

The tag is: misp-galaxy:intelligence-agency="Vojna sigurnosno-obavještajna agencija"

Table 1789. Table References
Links
https://en.wikipedia.org/wiki/Vojna_sigurnosno-obavje%C5%A1tajna_agencija

Dirección de Contra-Inteligencia Militar

Military Counterintelligence Directorate

The tag is: misp-galaxy:intelligence-agency="Dirección de Contra-Inteligencia Militar"

Table 1790. Table References
Links
https://en.wikipedia.org/wiki/Direcci%C3%B3n_de_Contra-Inteligencia_Militar

Intelligence Directorate

Dirección General de Inteligencia (DGI)

The tag is: misp-galaxy:intelligence-agency="Intelligence Directorate"

Table 1791. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Directorate

Cyprus Intelligence Service

Cyprus Intelligence Service (CIS) (Κυπριακή Υπηρεσία Πληροφοριών)(ΚΥΠ), (former Central Intelligence Service-KYP)

The tag is: misp-galaxy:intelligence-agency="Cyprus Intelligence Service"

Table 1792. Table References
Links
https://en.wikipedia.org/wiki/Cyprus_Intelligence_Service

Security Information Service

Security Information Service (Bezpečnostní informační služba, BIS)

The tag is: misp-galaxy:intelligence-agency="Security Information Service"

Table 1793. Table References
Links
https://en.wikipedia.org/wiki/Security_Information_Service

Office for Foreign Relations and Information

Office for Foreign Relations and Information (Úřad pro zahraniční styky a informace, ÚZSI)

The tag is: misp-galaxy:intelligence-agency="Office for Foreign Relations and Information"

Table 1794. Table References
Links
https://en.wikipedia.org/wiki/Office_for_Foreign_Relations_and_Information

Military Intelligence (Czech Republic)

Military Intelligence (Vojenské zpravodajství, VZ)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence (Czech Republic)"

Table 1795. Table References
Links
https://en.wikipedia.org/wiki/Military_Intelligence_(Czech_Republic)

Danish Security and Intelligence Service

Danish Security and Intelligence Service (Politiets Efterretningstjeneste (PET)).

The tag is: misp-galaxy:intelligence-agency="Danish Security and Intelligence Service"

Table 1796. Table References
Links
https://en.wikipedia.org/wiki/Danish_Security_and_Intelligence_Service

Danish Defence Intelligence Service

Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste (FE)).

The tag is: misp-galaxy:intelligence-agency="Danish Defence Intelligence Service"

Table 1797. Table References
Links
https://en.wikipedia.org/wiki/Danish_Defence_Intelligence_Service

Army Intelligence Center

Army Intelligence Center (Efterretningsregimentet (EFR)).

The tag is: misp-galaxy:intelligence-agency="Army Intelligence Center"

Table 1798. Table References
Links
https://en.wikipedia.org/wiki/Army_Intelligence_Center

Egyptian General Intelligence Directorate

Gihaz al-Mukhabarat al-Amma (GIS) (General Intelligence Service)

The tag is: misp-galaxy:intelligence-agency="Egyptian General Intelligence Directorate"

Table 1799. Table References
Links
https://en.wikipedia.org/wiki/Egyptian_General_Intelligence_Directorate

Military intelligence and reconnaissance (Egypt)

Idarat al-Mukhabarat al-Harbyya wa al-Istitla (OMIR) (Office of Military Intelligence and Reconnaissance)

The tag is: misp-galaxy:intelligence-agency="Military intelligence and reconnaissance (Egypt)"

Table 1800. Table References
Links
https://en.wikipedia.org/wiki/Military_intelligence_and_reconnaissance_(Egypt)

Egyptian Homeland security

Al-amn al-Watani (HS) (Homeland Security)

The tag is: misp-galaxy:intelligence-agency="Egyptian Homeland security"

Table 1801. Table References
Links
https://en.wikipedia.org/wiki/Egyptian_Homeland_security

National Security Office (Eritrea)

National Security Office

The tag is: misp-galaxy:intelligence-agency="National Security Office (Eritrea)"

Table 1802. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Office_(Eritrea)

Estonian Internal Security Service

Estonian Internal Security Service (KaPo) (Kaitsepolitseiamet)

The tag is: misp-galaxy:intelligence-agency="Estonian Internal Security Service"

Estonian Internal Security Service is also known as:

Kaitsepolitseiamet

Table 1803. Table References
Links
https://en.wikipedia.org/wiki/Estonian_Internal_Security_Service

Estonian Foreign Intelligence Service

Estonian Foreign Intelligence Service (VLA) (Välisluureamet)

The tag is: misp-galaxy:intelligence-agency="Estonian Foreign Intelligence Service"

Estonian Foreign Intelligence Service is also known as:

VLA
Välisluureamet

Table 1804. Table References
Links
https://en.wikipedia.org/wiki/Estonian_Foreign_Intelligence_Service

National Intelligence and Security Service (Ethiopia)

National Intelligence and Security Service (NISS)

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Ethiopia)"

Table 1805. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Service_(Ethiopia)

Finnish Defence Intelligence Agency

Finnish Defence Intelligence Agency – Puolustusvoimien tiedustelulaitos (PVTIEDL) / Försvarsmaktens underrättelsetjänst

The tag is: misp-galaxy:intelligence-agency="Finnish Defence Intelligence Agency"

Finnish Defence Intelligence Agency is also known as:

Puolustusvoimien tiedustelulaitos (PVTIEDL)
Försvarsmaktens underrättelsetjänst

Table 1806. Table References
Links
https://en.wikipedia.org/wiki/Finnish_Defence_Intelligence_Agency

Intelligence Division (Finland)

Defense Command Intelligence Division – Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)

The tag is: misp-galaxy:intelligence-agency="Intelligence Division (Finland)"

Intelligence Division (Finland) is also known as:

Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)

Table 1807. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Division_(Finland)

Finnish Security Intelligence Service

Finnish Security Intelligence Service (SUPO) – Suojelupoliisi / Skyddspolisen

The tag is: misp-galaxy:intelligence-agency="Finnish Security Intelligence Service"

Finnish Security Intelligence Service is also known as:

Suojelupoliisi / Skyddspolisen

Table 1808. Table References
Links
https://en.wikipedia.org/wiki/Finnish_Security_Intelligence_Service

National Centre for Counter Terrorism

National Centre for Counter Terrorism (CNRLT, Coordination nationale du renseignement et de la lutte contre le terrorisme)

The tag is: misp-galaxy:intelligence-agency="National Centre for Counter Terrorism"

National Centre for Counter Terrorism is also known as:

Coordination nationale du renseignement et de la lutte contre le terrorisme

Table 1809. Table References
Links
https://en.wikipedia.org/wiki/National_Centre_for_Counter_Terrorism

General Directorate for Internal Security

General Directorate for Internal Security (DGSI; Direction générale de la sécurité intérieure) – Domestic counter-terrorism and counter-espionage intelligence.

The tag is: misp-galaxy:intelligence-agency="General Directorate for Internal Security"

General Directorate for Internal Security is also known as:

Direction générale de la sécurité intérieure

Table 1810. Table References
Links
https://en.wikipedia.org/wiki/General_Directorate_for_Internal_Security

direction nationale du renseignement territorial (DNRT)

The tag is: misp-galaxy:intelligence-agency="direction nationale du renseignement territorial (DNRT)"

direction nationale du renseignement territorial (DNRT) is also known as:

direction nationale du renseignement territorial

Sous-direction anti-terroriste (SDAT)

The tag is: misp-galaxy:intelligence-agency="Sous-direction anti-terroriste (SDAT)"

Sous-direction anti-terroriste (SDAT) is also known as:

Sous-direction anti-terroriste

Directorate-General for External Security

Directorate-General for External Security (DGSE; Direction générale de la sécurité extérieure) – Foreign intelligence relating to national security.

The tag is: misp-galaxy:intelligence-agency="Directorate-General for External Security"

Directorate-General for External Security is also known as:

Direction générale de la sécurité extérieure

Table 1811. Table References
Links
https://en.wikipedia.org/wiki/Directorate-General_for_External_Security

DRSD

Direction du Renseignement et de la Sécurité de la Défense (DRSD; Direction du Renseignement et de la Sécurité de la Défense) – Foreign intelligence relating to national security.

The tag is: misp-galaxy:intelligence-agency="DRSD"

DRSD is also known as:

Direction du Renseignement et de la Sécurité de la Défense

Table 1812. Table References
Links
https://en.wikipedia.org/wiki/DRSD

Direction du renseignement militaire

Directorate of Military Intelligence (DRM; Direction du renseignement militaire) – Military intelligence.

The tag is: misp-galaxy:intelligence-agency="Direction du renseignement militaire"

Table 1813. Table References
Links
https://en.wikipedia.org/wiki/Direction_du_renseignement_militaire

Tracfin

The tag is: misp-galaxy:intelligence-agency="Tracfin"

Table 1814. Table References
Links
https://en.wikipedia.org/wiki/Tracfin

Direction Nationale du Renseignement et des Enquêtes Douanières

Direction Nationale du Renseignement et des Enquêtes Douanières (DNRED)

The tag is: misp-galaxy:intelligence-agency="Direction Nationale du Renseignement et des Enquêtes Douanières"

Table 1815. Table References
Links
https://en.wikipedia.org/wiki/Direction_Nationale_du_Renseignement_et_des_Enqu%C3%AAtes_Douani%C3%A8res

State Intelligence Services (the Gambia)

State Intelligence Services (the Gambia) (SIS)

The tag is: misp-galaxy:intelligence-agency="State Intelligence Services (the Gambia)"

Table 1816. Table References
Links
https://en.wikipedia.org/wiki/State_Intelligence_Services_(the_Gambia)

State Security Service (Georgia)

State Security Service (SSSG) − სახელმწიფო უშიშროების სამსახური

The tag is: misp-galaxy:intelligence-agency="State Security Service (Georgia)"

State Security Service (Georgia) is also known as:

სახელმწიფო უშიშროების სამსახური

Table 1817. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Service_(Georgia)

Georgian Intelligence Service

Georgian Intelligence Service (GIS) − საქართველოს დაზვერვის სამსახური

The tag is: misp-galaxy:intelligence-agency="Georgian Intelligence Service"

Georgian Intelligence Service is also known as:

საქართველოს დაზვერვის სამსახური

Table 1818. Table References
Links
https://en.wikipedia.org/wiki/Georgian_Intelligence_Service

Military Intelligence Department

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Department"

Bundesnachrichtendienst

Bundesnachrichtendienst (BND): Federal Intelligence Service

The tag is: misp-galaxy:intelligence-agency="Bundesnachrichtendienst"

Bundesnachrichtendienst is also known as:

Federal Intelligence Service

Table 1819. Table References
Links
https://en.wikipedia.org/wiki/Bundesnachrichtendienst

Bundesamt für Verfassungsschutz

Bundesamt für Verfassungsschutz (BfV): Federal Office for the Protection of the Constitution

The tag is: misp-galaxy:intelligence-agency="Bundesamt für Verfassungsschutz"

Bundesamt für Verfassungsschutz is also known as:

Federal Office for the Protection of the Constitution

Table 1820. Table References
Links
https://en.wikipedia.org/wiki/Bundesamt_f%C3%BCr_Verfassungsschutz

Federal Office for Information Security

Bundesamt für Sicherheit in der Informationstechnik (BSI): Federal Office for Information Security

The tag is: misp-galaxy:intelligence-agency="Federal Office for Information Security"

Table 1821. Table References
Links
https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security

Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology

The tag is: misp-galaxy:intelligence-agency="Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology"

Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology is also known as:

Center for information and communication technology

Militärischer Abschirmdienst

Militärischer Abschirmdienst (MAD): Military Counterintelligence Service

The tag is: misp-galaxy:intelligence-agency="Militärischer Abschirmdienst"

Militärischer Abschirmdienst is also known as:

Military Counterintelligence Service

Table 1822. Table References
Links
https://en.wikipedia.org/wiki/Milit%C3%A4rischer_Abschirmdienst

State Authority for the Protection of the Constitution

Landesamt für Verfassungsschutz (LfV): (semi-independent) State Authority for the Protection of the Constitution for every single state

The tag is: misp-galaxy:intelligence-agency="State Authority for the Protection of the Constitution"

Table 1823. Table References
Links
https://en.wikipedia.org/wiki/State_Authority_for_the_Protection_of_the_Constitution

Bureau of National Investigations

Bureau of National Investigations (BNI) – (Internal Intelligence Agency)

The tag is: misp-galaxy:intelligence-agency="Bureau of National Investigations"

Table 1824. Table References
Links
https://en.wikipedia.org/wiki/Bureau_of_National_Investigations

National Intelligence Service (Greece)

National Intelligence Service (ΕΥΠ) – Εθνική Υπηρεσία Πληροφοριών

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Greece)"

National Intelligence Service (Greece) is also known as:

Εθνική Υπηρεσία Πληροφοριών

Table 1825. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Greece)

E Division – Intelligence Division

The tag is: misp-galaxy:intelligence-agency="E Division – Intelligence Division"

National Intelligence and Security Agency (NISA)[6][7][8][9]

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Agency (NISA)[6][7][8][9]"

Table 1826. Table References
Links
https://en.wikipedia.org#cite_note-6

Service d’Intelligence National

Service d’Intelligence National (SIN) (National Intelligence Service)

The tag is: misp-galaxy:intelligence-agency="Service d’Intelligence National"

Table 1827. Table References
Links
https://en.wikipedia.org/wiki/Service_d%27Intelligence_National

Információs Hivatal

Információs Hivatal (IH) (Information Office)

The tag is: misp-galaxy:intelligence-agency="Információs Hivatal"

Table 1828. Table References
Links
https://en.wikipedia.org/wiki/Inform%C3%A1ci%C3%B3s_Hivatal

Nemzetbiztonsági Hivatal

Alkotmányvédelmi Hivatal (AH) (Constitution Protection Office)

The tag is: misp-galaxy:intelligence-agency="Nemzetbiztonsági Hivatal"

Table 1829. Table References
Links
https://en.wikipedia.org/wiki/Nemzetbiztons%C3%A1gi_Hivatal

Terrorelhárítási Központ

Terrorelhárítási Központ (TEK) (Counter Terrorism Centre)

The tag is: misp-galaxy:intelligence-agency="Terrorelhárítási Központ"

Table 1830. Table References
Links
https://en.wikipedia.org/wiki/Terrorelh%C3%A1r%C3%ADt%C3%A1si_K%C3%B6zpont

Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)

The tag is: misp-galaxy:intelligence-agency="Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)"

Nemzeti Információs Központ (NIK) (National Information Center)

The tag is: misp-galaxy:intelligence-agency="Nemzeti Információs Központ (NIK) (National Information Center)"

Icelandic Police

The National Police Commissioner’s Analysis Unit – Greiningardeild Ríkislögreglustjóra (GRLS)

The tag is: misp-galaxy:intelligence-agency="Icelandic Police"

Table 1831. Table References
Links
https://en.wikipedia.org/wiki/Icelandic_Police#The_Icelandic_Intelligence_Service

Icelandic Crisis Response Unit

Icelandic Defense Agency’s Analysis Unit – Greiningardeild Varnarmálastofnunar Íslands (GVMSÍ) (Defunct)

The tag is: misp-galaxy:intelligence-agency="Icelandic Crisis Response Unit"

Table 1832. Table References
Links
https://en.wikipedia.org/wiki/Icelandic_Crisis_Response_Unit#Intelligence_gathering

Research and Analysis Wing

Research and Analysis Wing (R&AW)

The tag is: misp-galaxy:intelligence-agency="Research and Analysis Wing"

Table 1833. Table References
Links
https://en.wikipedia.org/wiki/Research_and_Analysis_Wing

Intelligence Bureau (India)

Intelligence Bureau (IB)

The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (India)"

Table 1834. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Bureau_(India)

National Investigation Agency

National Investigation Agency[10]

The tag is: misp-galaxy:intelligence-agency="National Investigation Agency"

Table 1835. Table References
Links
https://en.wikipedia.org/wiki/National_Investigation_Agency

National Technical Research Organisation

National Technical Research Organisation (NTRO)[10]

The tag is: misp-galaxy:intelligence-agency="National Technical Research Organisation"

Table 1836. Table References
Links
https://en.wikipedia.org/wiki/National_Technical_Research_Organisation

Directorate of Revenue Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Revenue Intelligence"

Table 1837. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Revenue_Intelligence

Ministry of Finance (India)

Economic Intelligence Council

The tag is: misp-galaxy:intelligence-agency="Ministry of Finance (India)"

Table 1838. Table References
Links
https://en.wikipedia.org/wiki/Ministry_of_Finance_(India)

Enforcement Directorate

The tag is: misp-galaxy:intelligence-agency="Enforcement Directorate"

Table 1839. Table References
Links
https://en.wikipedia.org/wiki/Enforcement_Directorate

Directorate General of GST Intelligence

Directorate General of GST Intelligence (DGGI)[11]

The tag is: misp-galaxy:intelligence-agency="Directorate General of GST Intelligence"

Table 1840. Table References
Links
https://en.wikipedia.org/wiki/Directorate_General_of_GST_Intelligence

Indian Army

Directorate of Military Intelligence

The tag is: misp-galaxy:intelligence-agency="Indian Army"

Table 1841. Table References
Links
https://en.wikipedia.org/wiki/Indian_Army

Directorate of Air Intelligence (India)

Directorate of Air Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Air Intelligence (India)"

Table 1842. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Air_Intelligence_(India)

Directorate of Naval Intelligence (India)

Directorate of Naval Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Naval Intelligence (India)"

Table 1843. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Naval_Intelligence_(India)

Joint Cipher Bureau

The tag is: misp-galaxy:intelligence-agency="Joint Cipher Bureau"

Table 1844. Table References
Links
https://en.wikipedia.org/wiki/Joint_Cipher_Bureau

State Intelligence Agency (Indonesia)

State Intelligence Agency (BIN) – Badan Intelijen Negara

The tag is: misp-galaxy:intelligence-agency="State Intelligence Agency (Indonesia)"

State Intelligence Agency (Indonesia) is also known as:

Badan Intelijen Negara

Table 1845. Table References
Links
https://en.wikipedia.org/wiki/State_Intelligence_Agency_(Indonesia)

Indonesian Strategic Intelligence Agency

Indonesian Strategic Intelligence Agency (BAIS) – Badan Intelijen Strategis Tentara Nasional Indonesia

The tag is: misp-galaxy:intelligence-agency="Indonesian Strategic Intelligence Agency"

Indonesian Strategic Intelligence Agency is also known as:

Badan Intelijen Strategis Tentara Nasional Indonesia

Table 1846. Table References
Links
https://en.wikipedia.org/wiki/Indonesian_Strategic_Intelligence_Agency

Indonesian Army Intelligence Centre

Indonesian Army Intelligence Centre (PUSINTELAD) – Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat

The tag is: misp-galaxy:intelligence-agency="Indonesian Army Intelligence Centre"

Indonesian Army Intelligence Centre is also known as:

Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat

Table 1847. Table References
Links
https://en.wikipedia.org/wiki/Indonesian_Army_Intelligence_Centre

National Cyber and Crypto Agency

National Cyber and Crypto Agency (BSSN) – Badan Siber dan Sandi Negara

The tag is: misp-galaxy:intelligence-agency="National Cyber and Crypto Agency"

National Cyber and Crypto Agency is also known as:

Badan Siber dan Sandi Negara

Table 1848. Table References
Links
https://en.wikipedia.org/wiki/National_Cyber_and_Crypto_Agency

Attorney General’s Office of Indonesia

Deputy Attorney General on Intelligence (Under the Attorney General’s Office) – Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung

The tag is: misp-galaxy:intelligence-agency="Attorney General’s Office of Indonesia"

Attorney General’s Office of Indonesia is also known as:

Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung

Table 1849. Table References
Links
https://en.wikipedia.org/wiki/Attorney_General%27s_Office_of_Indonesia

Directorate General of Immigration (Indonesia)

Directorate of Immigration Intelligence – Direktorat Intelijen Imigrasi

The tag is: misp-galaxy:intelligence-agency="Directorate General of Immigration (Indonesia)"

Directorate General of Immigration (Indonesia) is also known as:

Direktorat Intelijen Imigrasi

Table 1850. Table References
Links
https://en.wikipedia.org/wiki/Directorate_General_of_Immigration_(Indonesia)

National Anti-Narcotics Agency (Indonesia)

National Narcotics Agency Intelligence Section – Seksi Intelijen Badan Narkotika Nasional

The tag is: misp-galaxy:intelligence-agency="National Anti-Narcotics Agency (Indonesia)"

National Anti-Narcotics Agency (Indonesia) is also known as:

Seksi Intelijen Badan Narkotika Nasional

Table 1851. Table References
Links
https://en.wikipedia.org/wiki/National_Anti-Narcotics_Agency_(Indonesia)

id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia

Indonesian National Police Intelligence and Security Agency - Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia

The tag is: misp-galaxy:intelligence-agency="id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia"

id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia is also known as:

Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia

Table 1852. Table References
Links
https://en.wikipedia.orghttps://id.wikipedia.org/wiki/Badan_Intelijen_dan_Keamanan_Kepolisian_Negara_Republik_Indonesia

Directorate General of Customs and Excise (Indonesia)

Customs & Excise Sub-Directorate of Intelligence – Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai

The tag is: misp-galaxy:intelligence-agency="Directorate General of Customs and Excise (Indonesia)"

Directorate General of Customs and Excise (Indonesia) is also known as:

Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai

Table 1853. Table References
Links
https://en.wikipedia.org/wiki/Directorate_General_of_Customs_and_Excise_(Indonesia)

Indonesian Financial Transaction Reports and Analysis Center

Indonesian Financial Transaction Reports and Analysis Center (PPATK) – Pusat Pelaporan dan Analisis Transaksi Keuangan

The tag is: misp-galaxy:intelligence-agency="Indonesian Financial Transaction Reports and Analysis Center"

Indonesian Financial Transaction Reports and Analysis Center is also known as:

Pusat Pelaporan dan Analisis Transaksi Keuangan

Table 1854. Table References
Links
https://en.wikipedia.org/wiki/Indonesian_Financial_Transaction_Reports_and_Analysis_Center

Ministry of Intelligence (Iran)

Ministry of Intelligence (VAJA)

The tag is: misp-galaxy:intelligence-agency="Ministry of Intelligence (Iran)"

Table 1855. Table References
Links
https://en.wikipedia.org/wiki/Ministry_of_Intelligence_(Iran)

Oghab 2

Oghab 2 – Nuclear facilities security

The tag is: misp-galaxy:intelligence-agency="Oghab 2"

Table 1856. Table References
Links
https://en.wikipedia.org/wiki/Oghab_2

Council for Intelligence Coordination

The tag is: misp-galaxy:intelligence-agency="Council for Intelligence Coordination"

Table 1857. Table References
Links
https://en.wikipedia.org/wiki/Council_for_Intelligence_Coordination

Intelligence Protection Organization of Islamic Republic of Iran Army

Intelligence Protection Organization of Iranian Army (SAHEFAJA)

The tag is: misp-galaxy:intelligence-agency="Intelligence Protection Organization of Islamic Republic of Iran Army"

Table 1858. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Protection_Organization_of_Islamic_Republic_of_Iran_Army

Intelligence Organization of Army of the Guardians of the Islamic Revolution

Intelligence Organization of IRGC

The tag is: misp-galaxy:intelligence-agency="Intelligence Organization of Army of the Guardians of the Islamic Revolution"

Table 1859. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Organization_of_Army_of_the_Guardians_of_the_Islamic_Revolution

Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution

Intelligence Protection Organization of IRGC (SAHEFASA)

The tag is: misp-galaxy:intelligence-agency="Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution"

Table 1860. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Protection_Organization_of_Army_of_the_Guardians_of_the_Islamic_Revolution

Intelligence org of FARAJA

The tag is: misp-galaxy:intelligence-agency="Intelligence org of FARAJA"

Intelligence org of the Islamic Republic of Iran[12]

The tag is: misp-galaxy:intelligence-agency="Intelligence org of the Islamic Republic of Iran[12]"

Table 1861. Table References
Links
https://en.wikipedia.org#cite_note-12

General Security Directorate (Iraq)

General Security Directorate - (GSD) - (Internal security agency)

The tag is: misp-galaxy:intelligence-agency="General Security Directorate (Iraq)"

Table 1862. Table References
Links
https://en.wikipedia.org/wiki/General_Security_Directorate_(Iraq)

Iraqi National Intelligence Service

Iraqi National Intelligence Service - (INIS) - (Foreign intelligence and Special operations)

The tag is: misp-galaxy:intelligence-agency="Iraqi National Intelligence Service"

Table 1863. Table References
Links
https://en.wikipedia.org/wiki/Iraqi_National_Intelligence_Service

Falcons Intelligence Cell

Falcons Intelligence Cell - (FIC) - (Military intelligence)

The tag is: misp-galaxy:intelligence-agency="Falcons Intelligence Cell"

Table 1864. Table References
Links
https://en.wikipedia.org/wiki/Falcons_Intelligence_Cell

Kurdistan Region Security Council

Kurdistan Region Security Council (KRSC) - (Regional security agency)

The tag is: misp-galaxy:intelligence-agency="Kurdistan Region Security Council"

Table 1865. Table References
Links
https://en.wikipedia.org/wiki/Kurdistan_Region_Security_Council

Intelligence and Counter-Terrorism Directorate - Ministry of Interior

The tag is: misp-galaxy:intelligence-agency="Intelligence and Counter-Terrorism Directorate - Ministry of Interior"

Directorate of Military Intelligence (Ireland)

Directorate of Military Intelligence (G2)

The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence (Ireland)"

Table 1866. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence_(Ireland)

CIS Corps (Ireland)

Communications and Information Services Corps (CIS) SIGINT Section

The tag is: misp-galaxy:intelligence-agency="CIS Corps (Ireland)"

Table 1867. Table References
Links
https://en.wikipedia.org/wiki/CIS_Corps_(Ireland)

Special Detective Unit

Special Detective Unit (SDU)

The tag is: misp-galaxy:intelligence-agency="Special Detective Unit"

Table 1868. Table References
Links
https://en.wikipedia.org/wiki/Special_Detective_Unit

Garda National Surveillance Unit

National Surveillance Unit (NSU)

The tag is: misp-galaxy:intelligence-agency="Garda National Surveillance Unit"

Table 1869. Table References
Links
https://en.wikipedia.org/wiki/Garda_National_Surveillance_Unit

National Economic Crime Bureau

Financial Intelligence Unit (FIU)

The tag is: misp-galaxy:intelligence-agency="National Economic Crime Bureau"

Table 1870. Table References
Links
https://en.wikipedia.org/wiki/National_Economic_Crime_Bureau

Mossad

Mossad (Foreign Intelligence and Special Operations)

The tag is: misp-galaxy:intelligence-agency="Mossad"

Table 1871. Table References
Links
https://en.wikipedia.org/wiki/Mossad

Shin Bet

Shin Bet (Internal Security Service)

The tag is: misp-galaxy:intelligence-agency="Shin Bet"

Table 1872. Table References
Links
https://en.wikipedia.org/wiki/Shin_Bet

Military Intelligence Directorate (Israel)

Aman (Military intelligence)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Directorate (Israel)"

Table 1873. Table References
Links
https://en.wikipedia.org/wiki/Military_Intelligence_Directorate_(Israel)

Lahav 433

Lahav 433 (Police intelligence)

The tag is: misp-galaxy:intelligence-agency="Lahav 433"

Table 1874. Table References
Links
https://en.wikipedia.org/wiki/Lahav_433

Agenzia Informazioni e Sicurezza Interna

Agenzia Informazioni e Sicurezza Interna (AISI) - Agency for Internal Information and Security

The tag is: misp-galaxy:intelligence-agency="Agenzia Informazioni e Sicurezza Interna"

Table 1875. Table References
Links
https://en.wikipedia.org/wiki/Agenzia_Informazioni_e_Sicurezza_Interna

Agenzia Informazioni e Sicurezza Esterna

Agenzia Informazioni e Sicurezza Esterna (AISE) - Agency for External Information and Security

The tag is: misp-galaxy:intelligence-agency="Agenzia Informazioni e Sicurezza Esterna"

Table 1876. Table References
Links
https://en.wikipedia.org/wiki/Agenzia_Informazioni_e_Sicurezza_Esterna

Centro Intelligence Interforze

Centro Intelligence Interforze (CII) - Joint Intelligence Center

The tag is: misp-galaxy:intelligence-agency="Centro Intelligence Interforze"

Table 1877. Table References
Links
https://en.wikipedia.org/wiki/Centro_Intelligence_Interforze

Financial Investigations Division (FID)[14]

The tag is: misp-galaxy:intelligence-agency="Financial Investigations Division (FID)[14]"

Table 1878. Table References
Links
https://en.wikipedia.org#cite_note-14

Cabinet Intelligence and Research Office

Cabinet Intelligence and Research Office (CIRO)

The tag is: misp-galaxy:intelligence-agency="Cabinet Intelligence and Research Office"

Table 1879. Table References
Links
https://en.wikipedia.org/wiki/Cabinet_Intelligence_and_Research_Office

Defense Intelligence Headquarters

Defense Intelligence Headquarters (DIH)

The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Headquarters"

Table 1880. Table References
Links
https://en.wikipedia.org/wiki/Defense_Intelligence_Headquarters

Public Security Intelligence Agency

Public Security Intelligence Agency (PSIA)

The tag is: misp-galaxy:intelligence-agency="Public Security Intelligence Agency"

Table 1881. Table References
Links
https://en.wikipedia.org/wiki/Public_Security_Intelligence_Agency

Dairat al-Mukhabarat al-Ammah

General Intelligence Department (GID) - (Da’irat al-Mukhabarat al-’Ammah)

The tag is: misp-galaxy:intelligence-agency="Dairat al-Mukhabarat al-Ammah"

Table 1882. Table References
Links
https://en.wikipedia.org/wiki/Dairat_al-Mukhabarat_al-Ammah

National Intelligence Service (Kenya)

National Intelligence Service(NIS)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Kenya)"

Table 1883. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Kenya)

Criminal Investigation Department (Kenya)

Directorate of Criminal Investigation(DCI)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Kenya)"

Table 1884. Table References
Links
https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Kenya)

Military Intelligence(MI)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence(MI)"

Table 1885. Table References
Links
https://en.wikipedia.orghttps://mod.go.ke/reports/cdf-opens-military-intelligence-corps-headquarters/

State Committee for National Security (Kyrgyzstan)

State Committee for National Security (UKMK/GKNB)

The tag is: misp-galaxy:intelligence-agency="State Committee for National Security (Kyrgyzstan)"

Table 1886. Table References
Links
https://en.wikipedia.org/wiki/State_Committee_for_National_Security_(Kyrgyzstan)

General Directorate of General Security

The tag is: misp-galaxy:intelligence-agency="General Directorate of General Security"

Table 1887. Table References
Links
https://en.wikipedia.org/wiki/General_Directorate_of_General_Security

The Information Branch

The tag is: misp-galaxy:intelligence-agency="The Information Branch"

Table 1888. Table References
Links
https://en.wikipedia.org/wiki/The_Information_Branch

Lebanese State Security

The tag is: misp-galaxy:intelligence-agency="Lebanese State Security"

Table 1889. Table References
Links
https://en.wikipedia.org/wiki/Lebanese_State_Security

National Security Agency (Liberia)

National Security Agency

The tag is: misp-galaxy:intelligence-agency="National Security Agency (Liberia)"

Table 1890. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Agency_(Liberia)

State Security Department of Lithuania

State Security Department - (Valstybes saugumo departamentas (VSD))

The tag is: misp-galaxy:intelligence-agency="State Security Department of Lithuania"

Table 1891. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Department_of_Lithuania

Second Investigation Department

Second Investigation Department - (Antrasis operatyvinių tarnybų departamentas (AOTD))

The tag is: misp-galaxy:intelligence-agency="Second Investigation Department"

Table 1892. Table References
Links
https://en.wikipedia.org/wiki/Second_Investigation_Department

Service de Renseignement de l’État

Luxembourg State Intelligence Service - (Service de Renseignement de l’État Luxembourgeois)

The tag is: misp-galaxy:intelligence-agency="Service de Renseignement de l’État"

Table 1893. Table References
Links
https://en.wikipedia.org/wiki/Service_de_Renseignement_de_l%E2%80%99%C3%89tat

Central Intelligence Service (CIS)[15]

The tag is: misp-galaxy:intelligence-agency="Central Intelligence Service (CIS)[15]"

Table 1894. Table References
Links
https://en.wikipedia.org#cite_note-15

Malaysian Defence Intelligence Organisation

Malaysian Defence Intelligence Organisation (Military Intelligence)[16]

The tag is: misp-galaxy:intelligence-agency="Malaysian Defence Intelligence Organisation"

Table 1895. Table References
Links
https://en.wikipedia.org/wiki/Malaysian_Defence_Intelligence_Organisation

Research Division of the Prime Minister’s Department

Malaysian External Intelligence Organisation (Foreign Intelligence)

The tag is: misp-galaxy:intelligence-agency="Research Division of the Prime Minister’s Department"

Table 1896. Table References
Links
https://en.wikipedia.org/wiki/Research_Division_of_the_Prime_Minister%27s_Department

Malaysian Special Branch

Malaysian Special Branch (Police & Internal Intelligence)[17]

The tag is: misp-galaxy:intelligence-agency="Malaysian Special Branch"

Table 1897. Table References
Links
https://en.wikipedia.org/wiki/Malaysian_Special_Branch

Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)

The tag is: misp-galaxy:intelligence-agency="Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)"

Assistant Attorney General’s Office for Special Investigations on Organized Crime

Assistant Attorney General’s Office for Special Investigations on Organized Crime (SEIDO / PGR)

The tag is: misp-galaxy:intelligence-agency="Assistant Attorney General’s Office for Special Investigations on Organized Crime"

Table 1898. Table References
Links
https://en.wikipedia.org/wiki/Assistant_Attorney_General%27s_Office_for_Special_Investigations_on_Organized_Crime

Federal Police (Mexico)

Intelligence Division of the Federal Police (Division de Inteligencia – CNS / Policia Federal)

The tag is: misp-galaxy:intelligence-agency="Federal Police (Mexico)"

Table 1899. Table References
Links
https://en.wikipedia.org/wiki/Federal_Police_(Mexico)#Intelligence_Division

National Intelligence Centre (México)

National Intelligence Centre (CNI)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Centre (México)"

Table 1900. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Centre_(M%C3%A9xico)

Estado Mayor Presidencial

2nd Section of the National Defense Intelligence Staff (SEDENA S-2 – Seccion 2da: Inteligencia del Estado Mayor)

The tag is: misp-galaxy:intelligence-agency="Estado Mayor Presidencial"

Table 1901. Table References
Links
https://en.wikipedia.org/wiki/Estado_Mayor_Presidencial

SEDENA

Military Intelligence – National Defense Ministry (Inteligencia Militar – SEDENA / Ejercito y Fuerza Aerea)

The tag is: misp-galaxy:intelligence-agency="SEDENA"

Table 1902. Table References
Links
https://en.wikipedia.org/wiki/SEDENA

Secretariat of the Navy

Naval Intelligence - (Inteligencia Naval / SEMAR / Marina Armada)

The tag is: misp-galaxy:intelligence-agency="Secretariat of the Navy"

Table 1903. Table References
Links
https://en.wikipedia.org/wiki/Secretariat_of_the_Navy

Information and Security Service of the Republic of Moldova

Information and Security Service (SIS)[18]

The tag is: misp-galaxy:intelligence-agency="Information and Security Service of the Republic of Moldova"

Table 1904. Table References
Links
https://en.wikipedia.org/wiki/Information_and_Security_Service_of_the_Republic_of_Moldova

General Intelligence Agency of Mongolia

General Intelligence Agency of Mongolia (GIA)

The tag is: misp-galaxy:intelligence-agency="General Intelligence Agency of Mongolia"

Table 1905. Table References
Links
https://en.wikipedia.org/wiki/General_Intelligence_Agency_of_Mongolia

National Security Agency (Montenegro)

National Security Agency (ANB)

The tag is: misp-galaxy:intelligence-agency="National Security Agency (Montenegro)"

Table 1906. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Agency_(Montenegro)

General Directorate for Territorial Surveillance (Morocco)

General Directorate for Territorial Surveillance - Direction de la Surveillance du Territoire (DST)

The tag is: misp-galaxy:intelligence-agency="General Directorate for Territorial Surveillance (Morocco)"

Table 1907. Table References
Links
https://en.wikipedia.org/wiki/General_Directorate_for_Territorial_Surveillance_(Morocco)

Deuxième Bureau (Morocco)

Deuxième Bureau (Morocco) - Military secret service[19]

The tag is: misp-galaxy:intelligence-agency="Deuxième Bureau (Morocco)"

Table 1908. Table References
Links
https://en.wikipedia.org/wiki/Deuxi%C3%A8me_Bureau_(Morocco)

Direction Generale pour l’Etude et la Documentation

Directorate of Research and Documentation - Direction Generale pour l’Etude et la Documentation (DGED)

The tag is: misp-galaxy:intelligence-agency="Direction Generale pour l’Etude et la Documentation"

Table 1909. Table References
Links
https://en.wikipedia.org/wiki/Direction_Generale_pour_l%27Etude_et_la_Documentation

Office of the Chief of Military Security Affairs

Office of the Chief of Military Security Affairs (OCMSA)

The tag is: misp-galaxy:intelligence-agency="Office of the Chief of Military Security Affairs"

Table 1910. Table References
Links
https://en.wikipedia.org/wiki/Office_of_the_Chief_of_Military_Security_Affairs

Bureau Of Special Investigation

Bureau Of Special Investigation (BSI)

The tag is: misp-galaxy:intelligence-agency="Bureau Of Special Investigation"

Table 1911. Table References
Links
https://en.wikipedia.org/wiki/Bureau_Of_Special_Investigation

Special Intelligence Department

Special Intelligence Department (SID)

The tag is: misp-galaxy:intelligence-agency="Special Intelligence Department"

Table 1912. Table References
Links
https://en.wikipedia.org/wiki/Special_Intelligence_Department

Namibia Central Intelligence Service

Namibia Central Intelligence Service (NCIS)

The tag is: misp-galaxy:intelligence-agency="Namibia Central Intelligence Service"

Table 1913. Table References
Links
https://en.wikipedia.org/wiki/Namibia_Central_Intelligence_Service

Directorate of Military Intelligence, Nepal

Directorate of Military Intelligence (DMI)

The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence, Nepal"

Table 1914. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence,_Nepal

National Investigation Department of Nepal

National Investigation Department (NID)

The tag is: misp-galaxy:intelligence-agency="National Investigation Department of Nepal"

Table 1915. Table References
Links
https://en.wikipedia.org/wiki/National_Investigation_Department_of_Nepal

General Intelligence and Security Service

General Intelligence and Security Service - Algemene Inlichtingen en Veiligheidsdienst (AIVD)

The tag is: misp-galaxy:intelligence-agency="General Intelligence and Security Service"

Table 1916. Table References
Links
https://en.wikipedia.org/wiki/General_Intelligence_and_Security_Service

Joint Sigint Cyber Unit

Joint Sigint Cyber Unit (JSCU)

The tag is: misp-galaxy:intelligence-agency="Joint Sigint Cyber Unit"

Table 1917. Table References
Links
https://en.wikipedia.org/wiki/Joint_Sigint_Cyber_Unit

National Coordinator for Counterterrorism and Security

National Coordinator for Counterterrorism and Security - Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)

The tag is: misp-galaxy:intelligence-agency="National Coordinator for Counterterrorism and Security"

National Coordinator for Counterterrorism and Security is also known as:

Nationaal Coördinator Terrorismebestrijding en Veiligheid

Table 1918. Table References
Links
https://en.wikipedia.org/wiki/National_Coordinator_for_Counterterrorism_and_Security

Team Criminal Intelligence (KMar-TCI)

The tag is: misp-galaxy:intelligence-agency="Team Criminal Intelligence (KMar-TCI)"

Team Criminal Intelligence (FIOD-TCI)

The tag is: misp-galaxy:intelligence-agency="Team Criminal Intelligence (FIOD-TCI)"

Government Communications Security Bureau

Government Communications Security Bureau[20]

The tag is: misp-galaxy:intelligence-agency="Government Communications Security Bureau"

Table 1919. Table References
Links
https://en.wikipedia.org/wiki/Government_Communications_Security_Bureau

New Zealand Security Intelligence Service

New Zealand Security Intelligence Service[20]

The tag is: misp-galaxy:intelligence-agency="New Zealand Security Intelligence Service"

Table 1920. Table References
Links
https://en.wikipedia.org/wiki/New_Zealand_Security_Intelligence_Service

National Assessments Bureau

National Assessments Bureau[20]

The tag is: misp-galaxy:intelligence-agency="National Assessments Bureau"

Table 1921. Table References
Links
https://en.wikipedia.org/wiki/National_Assessments_Bureau

National Intelligence Agency (Nigeria)

National Intelligence Agency (Foreign Intelligence and Counterintelligence)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Nigeria)"

Table 1922. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Nigeria)

Defence Intelligence Agency (Nigeria)

Defence Intelligence Agency (Military Intelligence)

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Agency (Nigeria)"

Table 1923. Table References
Links
https://en.wikipedia.org/wiki/Defence_Intelligence_Agency_(Nigeria)

State Security Service (Nigeria)

State Security Service (Internal Security)

The tag is: misp-galaxy:intelligence-agency="State Security Service (Nigeria)"

Table 1924. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Service_(Nigeria)

Reconnaissance General Bureau

Reconnaissance General Bureau[21]

The tag is: misp-galaxy:intelligence-agency="Reconnaissance General Bureau"

Table 1925. Table References
Links
https://en.wikipedia.org/wiki/Reconnaissance_General_Bureau

Ministry of State Security (North Korea)

Ministry of State Security[22]

The tag is: misp-galaxy:intelligence-agency="Ministry of State Security (North Korea)"

Table 1926. Table References
Links
https://en.wikipedia.org/wiki/Ministry_of_State_Security_(North_Korea)

Administration for Security and Counterintelligence

Administration for Security and Counterintelligence (Uprava za bezbednost i kontrarazuznavanje) (Police Agency)

The tag is: misp-galaxy:intelligence-agency="Administration for Security and Counterintelligence"

Administration for Security and Counterintelligence is also known as:

Uprava za bezbednost i kontrarazuznavanje

Table 1927. Table References
Links
https://en.wikipedia.org/wiki/Administration_for_Security_and_Counterintelligence

Intelligence Agency of North Macedonia

Intelligence Agency (Agencija za Razuznavanje) (Civilian Agency) IA

The tag is: misp-galaxy:intelligence-agency="Intelligence Agency of North Macedonia"

Intelligence Agency of North Macedonia is also known as:

Agencija za Razuznavanje

Table 1928. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Agency_of_North_Macedonia

Military Service for Security and Intelligence

Military Service for Security and Intelligence (Voena služba za razuznuvanje i bezbednost) (Military Agency) [1]

The tag is: misp-galaxy:intelligence-agency="Military Service for Security and Intelligence"

Military Service for Security and Intelligence is also known as:

Voena služba za razuznuvanje i bezbednost

Table 1929. Table References
Links
https://en.wikipedia.org/wiki/Military_Service_for_Security_and_Intelligence

Nasjonal sikkerhetsmyndighet

Nasjonal sikkerhetsmyndighet (NSM) (National Security Authority)

The tag is: misp-galaxy:intelligence-agency="Nasjonal sikkerhetsmyndighet"

Table 1930. Table References
Links
https://en.wikipedia.org/wiki/Nasjonal_sikkerhetsmyndighet

Politiets sikkerhetstjeneste

Politiets sikkerhetstjeneste (PST) (Police Security Service)

The tag is: misp-galaxy:intelligence-agency="Politiets sikkerhetstjeneste"

Table 1931. Table References
Links
https://en.wikipedia.org/wiki/Politiets_sikkerhetstjeneste

Etterretningstjenesten

Etterretningstjenesten (NIS) (Norwegian Intelligence Service)

The tag is: misp-galaxy:intelligence-agency="Etterretningstjenesten"

Table 1932. Table References
Links
https://en.wikipedia.org/wiki/Etterretningstjenesten

Forsvarets sikkerhetstjeneste

Forsvarets sikkerhetstjeneste (FOST) – Norwegian Defence Security Service (NORDSS)

The tag is: misp-galaxy:intelligence-agency="Forsvarets sikkerhetstjeneste"

Table 1933. Table References
Links
https://en.wikipedia.org/wiki/Forsvarets_sikkerhetstjeneste

Palace Office (Oman)

The Palace Office [Foreign Intelligence]

The tag is: misp-galaxy:intelligence-agency="Palace Office (Oman)"

Table 1934. Table References
Links
https://en.wikipedia.org/wiki/Palace_Office_(Oman)

Internal Security Service

Internal Security Service [Internal Security]

The tag is: misp-galaxy:intelligence-agency="Internal Security Service"

Table 1935. Table References
Links
https://en.wikipedia.org/wiki/Internal_Security_Service

Inter-Services Intelligence

Inter-Services Intelligence (ISI)

The tag is: misp-galaxy:intelligence-agency="Inter-Services Intelligence"

Table 1936. Table References
Links
https://en.wikipedia.org/wiki/Inter-Services_Intelligence

Air Intelligence (Pakistan)

Air Intelligence (AI)

The tag is: misp-galaxy:intelligence-agency="Air Intelligence (Pakistan)"

Table 1937. Table References
Links
https://en.wikipedia.org/wiki/Air_Intelligence_(Pakistan)

Military Intelligence (Pakistan)

Military Intelligence (MI)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence (Pakistan)"

Table 1938. Table References
Links
https://en.wikipedia.org/wiki/Military_Intelligence_(Pakistan)

Naval Intelligence (Pakistan)

Naval Intelligence (NI)

The tag is: misp-galaxy:intelligence-agency="Naval Intelligence (Pakistan)"

Table 1939. Table References
Links
https://en.wikipedia.org/wiki/Naval_Intelligence_(Pakistan)

Intelligence Bureau (Pakistan)

Intelligence Bureau (IB)

The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (Pakistan)"

Table 1940. Table References
Links
https://en.wikipedia.org/wiki/Intelligence_Bureau_(Pakistan)

Federal Investigation Agency

Federal Investigation Agency (FIA)

The tag is: misp-galaxy:intelligence-agency="Federal Investigation Agency"

Table 1941. Table References
Links
https://en.wikipedia.org/wiki/Federal_Investigation_Agency

National Counter Terrorism Authority

National Counter Terrorism Authority (NACTA)

The tag is: misp-galaxy:intelligence-agency="National Counter Terrorism Authority"

Table 1942. Table References
Links
https://en.wikipedia.org/wiki/National_Counter_Terrorism_Authority

Counter Terrorism Department (Pakistan)

Counter Terrorism Department (CTD)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism Department (Pakistan)"

Table 1943. Table References
Links
https://en.wikipedia.org/wiki/Counter_Terrorism_Department_(Pakistan)

National Intelligence Directorate (Pakistan)

National Intelligence Directorate (NID)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Directorate (Pakistan)"

Table 1944. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Directorate_(Pakistan)

Special Branch (Pakistan)

The tag is: misp-galaxy:intelligence-agency="Special Branch (Pakistan)"

Table 1945. Table References
Links
https://en.wikipedia.org/wiki/Special_Branch_(Pakistan)

Directorate General of Intelligence and Investigation

Directorate-General of Intelligence and Investigation (DGII)

The tag is: misp-galaxy:intelligence-agency="Directorate General of Intelligence and Investigation"

Table 1946. Table References
Links
https://en.wikipedia.org/wiki/Directorate_General_of_Intelligence_and_Investigation

Financial Monitoring Unit

Financial Monitoring Unit (FMU)

The tag is: misp-galaxy:intelligence-agency="Financial Monitoring Unit"

Table 1947. Table References
Links
https://en.wikipedia.org/wiki/Financial_Monitoring_Unit

National Accountability Bureau

National Accountability Bureau (NAB)

The tag is: misp-galaxy:intelligence-agency="National Accountability Bureau"

Table 1948. Table References
Links
https://en.wikipedia.org/wiki/National_Accountability_Bureau

Security and Exchange Commission of Pakistan

Security and Exchange Commission Pakistan (SECP)

The tag is: misp-galaxy:intelligence-agency="Security and Exchange Commission of Pakistan"

Table 1949. Table References
Links
https://en.wikipedia.org/wiki/Security_and_Exchange_Commission_of_Pakistan

Anti-Narcotics Force

Anti-Narcotics Force (ANF)

The tag is: misp-galaxy:intelligence-agency="Anti-Narcotics Force"

Table 1950. Table References
Links
https://en.wikipedia.org/wiki/Anti-Narcotics_Force

National Crises Management Cell

National Crises Management Cell (NCMC)

The tag is: misp-galaxy:intelligence-agency="National Crises Management Cell"

Table 1951. Table References
Links
https://en.wikipedia.org/wiki/National_Crises_Management_Cell

Palestinian Preventive Security

Palestinian Preventive Security (internal security)

The tag is: misp-galaxy:intelligence-agency="Palestinian Preventive Security"

Table 1952. Table References
Links
https://en.wikipedia.org/wiki/Palestinian_Preventive_Security

Palestinian National Security Forces

The tag is: misp-galaxy:intelligence-agency="Palestinian National Security Forces"

Table 1953. Table References
Links
https://en.wikipedia.org/wiki/Palestinian_National_Security_Forces

National Police Intelligence Directorate

National Police Intelligence Directorate (DNIP) – Dirección Nacional de Inteligencia Policial

The tag is: misp-galaxy:intelligence-agency="National Police Intelligence Directorate"

Table 1954. Table References
Links
https://en.wikipedia.org/wiki/National_Police_Intelligence_Directorate

General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)

General Directorate of Analysis and Strategic Intelligence - Direccion General de Analisis e Inteligencia Estrategica (DGAIE)[23]

The tag is: misp-galaxy:intelligence-agency="General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)"

Table 1955. Table References
Links
https://en.wikipedia.org/w/index.php?title=General_Directorate_of_Analysis_and_Strategic_Intelligence_(Panama)&action=edit&redlink=1

National Intelligence and Security Service (Panama) (page does not exist)

National Intelligence and Security Service - Servicio Nacional de Inteligencia y Seguridad (SENIS)[24]

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Panama) (page does not exist)"

Table 1956. Table References
Links
https://en.wikipedia.org/w/index.php?title=National_Intelligence_and_Security_Service_(Panama)&action=edit&redlink=1

National Intelligence Organization (Papua New Guinea)

National Intelligence Organization (NIO)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Organization (Papua New Guinea)"

Table 1957. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Organization_(Papua_New_Guinea)

National Directorate of Intelligence (Peru)

National Directorate of Intelligence - Dirección Nacional de Inteligencia (DINI)

The tag is: misp-galaxy:intelligence-agency="National Directorate of Intelligence (Peru)"

Table 1958. Table References
Links
https://en.wikipedia.org/wiki/National_Directorate_of_Intelligence_(Peru)

National Intelligence Coordinating Agency

National Intelligence Coordinating Agency (NICA) – Pambansang Ahensiya sa Ugnayang Intelihensiya

The tag is: misp-galaxy:intelligence-agency="National Intelligence Coordinating Agency"

National Intelligence Coordinating Agency is also known as:

Pambansang Ahensiya sa Ugnayang Intelihensiya

Table 1959. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Coordinating_Agency

National Bureau of Investigation (Philippines)

National Bureau of Investigation (NBI) – Pambansang Kawanihan ng Pagsisiyasat

The tag is: misp-galaxy:intelligence-agency="National Bureau of Investigation (Philippines)"

National Bureau of Investigation (Philippines) is also known as:

Pambansang Kawanihan ng Pagsisiyasat

Table 1960. Table References
Links
https://en.wikipedia.org/wiki/National_Bureau_of_Investigation_(Philippines)

Agencja Wywiadu

Foreign Intelligence Agency - Agencja Wywiadu (AW)

The tag is: misp-galaxy:intelligence-agency="Agencja Wywiadu"

Table 1961. Table References
Links
https://en.wikipedia.org/wiki/Agencja_Wywiadu

Agencja Bezpieczeństwa Wewnętrznego

Internal Security Agency - Agencja Bezpieczeństwa Wewnętrznego (ABW)

The tag is: misp-galaxy:intelligence-agency="Agencja Bezpieczeństwa Wewnętrznego"

Table 1962. Table References
Links
https://en.wikipedia.org/wiki/Agencja_Bezpiecze%C5%84stwa_Wewn%C4%99trznego

Służba Wywiadu Wojskowego (page does not exist)

Military Intelligence Service - Służba Wywiadu Wojskowego (SWW)

The tag is: misp-galaxy:intelligence-agency="Służba Wywiadu Wojskowego (page does not exist)"

Table 1963. Table References
Links
https://en.wikipedia.org/w/index.php?title=S%C5%82u%C5%BCba_Wywiadu_Wojskowego&action=edit&redlink=1

Służba Kontrwywiadu Wojskowego

Military Counter-intelligence Service - Służba Kontrwywiadu Wojskowego (SKW)

The tag is: misp-galaxy:intelligence-agency="Służba Kontrwywiadu Wojskowego"

Table 1964. Table References
Links
https://en.wikipedia.org/wiki/S%C5%82u%C5%BCba_Kontrwywiadu_Wojskowego

Border Guard (Poland)

Operations and Investigations Directorate of the Border Guard Headquarters - Zarząd Operacyjno-Śledczy Komendy Głównej Straży Granicznej (KGSG, ZOŚ, KGSG)

The tag is: misp-galaxy:intelligence-agency="Border Guard (Poland)"

Table 1965. Table References
Links
https://en.wikipedia.org/wiki/Border_Guard_(Poland)

Serviço de Informações de Segurança

Security Intelligence Service - Serviço de Informações de Segurança (SIS)

The tag is: misp-galaxy:intelligence-agency="Serviço de Informações de Segurança"

Table 1966. Table References
Links
https://en.wikipedia.org/wiki/Servi%C3%A7o_de_Informa%C3%A7%C3%B5es_de_Seguran%C3%A7a

Serviço de Informações Estratégicas de Defesa

Defense Strategic Intelligence Service - Serviço de Informações Estratégicas de Defesa (SIED)

The tag is: misp-galaxy:intelligence-agency="Serviço de Informações Estratégicas de Defesa"

Table 1967. Table References
Links
https://en.wikipedia.org/wiki/Servi%C3%A7o_de_Informa%C3%A7%C3%B5es_Estrat%C3%A9gicas_de_Defesa

CISMIL

Military Intelligence and Security Service - Centro de Informações e Segurança Militares (CISMIL)

The tag is: misp-galaxy:intelligence-agency="CISMIL"

Table 1968. Table References
Links
https://en.wikipedia.org/wiki/CISMIL

Qatar State Security

The tag is: misp-galaxy:intelligence-agency="Qatar State Security"

Table 1969. Table References
Links
https://en.wikipedia.org/wiki/Qatar_State_Security

Romanian Intelligence Service

Romanian Intelligence Service (SRI) – Serviciul Român de Informații

The tag is: misp-galaxy:intelligence-agency="Romanian Intelligence Service"

Romanian Intelligence Service is also known as:

Serviciul Român de Informații

Table 1970. Table References
Links
https://en.wikipedia.org/wiki/Romanian_Intelligence_Service

Foreign Intelligence Service (Romania)

Foreign Intelligence Service (SIE) – Serviciul de Informații Externe

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Romania)"

Foreign Intelligence Service (Romania) is also known as:

Serviciul de Informații Externe

Table 1971. Table References
Links
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Romania)

Serviciul de Telecomunicații Speciale

Special Telecommunication Service (STS) – Serviciul de Telecomunicații Speciale

The tag is: misp-galaxy:intelligence-agency="Serviciul de Telecomunicații Speciale"

Table 1972. Table References
Links
https://en.wikipedia.org/wiki/Serviciul_de_Telecomunica%C8%9Bii_Speciale

Direcția Generală de Informații a Apărării

General Directorate for Defense Intelligence (DGIA) – Direcția Generală de Informații a Apărării

The tag is: misp-galaxy:intelligence-agency="Direcția Generală de Informații a Apărării"

Table 1973. Table References
Links
https://en.wikipedia.org/wiki/Direc%C8%9Bia_General%C4%83_de_Informa%C8%9Bii_a_Ap%C4%83r%C4%83rii

Direcția Generală de Informații și Protecție Internă

General Directorate for Internal Security (DGPI) – Direcția Generală de Protecție Internă

The tag is: misp-galaxy:intelligence-agency="Direcția Generală de Informații și Protecție Internă"

Direcția Generală de Informații și Protecție Internă is also known as:

Direcția Generală de Protecție Internă

Table 1974. Table References
Links
https://en.wikipedia.org/wiki/Direc%C8%9Bia_General%C4%83_de_Informa%C8%9Bii_%C8%99i_Protec%C8%9Bie_Intern%C4%83

Federal Security Service (Russia)

Federal Security Service (FSB) – Федеральная служба безопасности

The tag is: misp-galaxy:intelligence-agency="Federal Security Service (Russia)"

Federal Security Service (Russia) is also known as:

Федеральная служба безопасности

Table 1975. Table References
Links
https://en.wikipedia.org/wiki/Federal_Security_Service_(Russia)

Main Directorate of Special Programs of the President of the Russian Federation

Main Directorate of Special Programs of the President of the Russian Federation (GUSP) – Главное управление специальных программ Президента Российской Федерации

The tag is: misp-galaxy:intelligence-agency="Main Directorate of Special Programs of the President of the Russian Federation"

Main Directorate of Special Programs of the President of the Russian Federation is also known as:

Главное управление специальных программ Президента Российской Федерации

Table 1976. Table References
Links
https://en.wikipedia.org/wiki/Main_Directorate_of_Special_Programs_of_the_President_of_the_Russian_Federation

Foreign Intelligence Service (Russia)

Foreign Intelligence Service (Russia) (SVR) – Служба Внешней Разведки

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Russia)"

Foreign Intelligence Service (Russia) is also known as:

Служба Внешней Разведки

Table 1977. Table References
Links
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Russia)

GRU (Russian Federation)

Main Intelligence Directorate (GRU) – Главное Разведывательное Управление

The tag is: misp-galaxy:intelligence-agency="GRU (Russian Federation)"

GRU (Russian Federation) is also known as:

Главное Разведывательное Управление

Table 1978. Table References
Links
https://en.wikipedia.org/wiki/GRU_(Russian_Federation)

Special Communications Service of Russia

Special Communications Service of Russia – Служба специальной связи и информации

The tag is: misp-galaxy:intelligence-agency="Special Communications Service of Russia"

Special Communications Service of Russia is also known as:

Служба специальной связи и информации

Table 1979. Table References
Links
https://en.wikipedia.org/wiki/Special_Communications_Service_of_Russia

National Intelligence and Security Service (Rwanda)

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Rwanda)"

Table 1980. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Service_(Rwanda)

Council of Political and Security Affairs (Saudi Arabia)

Council of Political and Security Affairs (CPSA) – مجلس الشؤون السياسية والأمنية

The tag is: misp-galaxy:intelligence-agency="Council of Political and Security Affairs (Saudi Arabia)"

Table 1981. Table References
Links
https://en.wikipedia.org/wiki/Council_of_Political_and_Security_Affairs_(Saudi_Arabia)

Al Mukhabarat Al A’amah

General Intelligence Presidency (GIP) – رئاسة الاستخبارات العامة

The tag is: misp-galaxy:intelligence-agency="Al Mukhabarat Al A’amah"

Table 1982. Table References
Links
https://en.wikipedia.org/wiki/Al_Mukhabarat_Al_A%27amah

Mabahith

Mabahith (GDI) – المباحث العامة

The tag is: misp-galaxy:intelligence-agency="Mabahith"

Table 1983. Table References
Links
https://en.wikipedia.org/wiki/Mabahith

Saudi Arabian Border Guards

Saudi Arabia Border Guards Intelligence Directorate – استخبارات حرس الحدود

The tag is: misp-galaxy:intelligence-agency="Saudi Arabian Border Guards"

Table 1984. Table References
Links
https://en.wikipedia.org/wiki/Saudi_Arabian_Border_Guards

The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني

The tag is: misp-galaxy:intelligence-agency="The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني"

Table 1985. Table References
Links
https://en.wikipedia.org#cite_note-25

Security Intelligence Agency

Security Intelligence Agency – Безбедносно-информативна агенција (BIA)

The tag is: misp-galaxy:intelligence-agency="Security Intelligence Agency"

Table 1986. Table References
Links
https://en.wikipedia.org/wiki/Security_Intelligence_Agency

Military Security Agency (Serbia)

Military Security Agency – Војнобезбедносна агенција (VBA)

The tag is: misp-galaxy:intelligence-agency="Military Security Agency (Serbia)"

Table 1987. Table References
Links
https://en.wikipedia.org/wiki/Military_Security_Agency_(Serbia)

Vojnoobaveštajna agencija

Military Intelligence Agency – Војнообавештајна агенција (VOA)

The tag is: misp-galaxy:intelligence-agency="Vojnoobaveštajna agencija"

Table 1988. Table References
Links
https://en.wikipedia.org/wiki/Vojnoobave%C5%A1tajna_agencija

Security and Intelligence Division

Security and Intelligence Division (SID)

The tag is: misp-galaxy:intelligence-agency="Security and Intelligence Division"

Table 1989. Table References
Links
https://en.wikipedia.org/wiki/Security_and_Intelligence_Division

Internal Security Department (Singapore)

Internal Security Department (ISD)

The tag is: misp-galaxy:intelligence-agency="Internal Security Department (Singapore)"

Table 1990. Table References
Links
https://en.wikipedia.org/wiki/Internal_Security_Department_(Singapore)

Slovak Information Service

Slovak Information Service - Slovenská informačná služba (SIS)

The tag is: misp-galaxy:intelligence-agency="Slovak Information Service"

Table 1991. Table References
Links
https://en.wikipedia.org/wiki/Slovak_Information_Service

Vojenské spravodajstvo

Military Intelligence - Vojenské spravodajstvo

The tag is: misp-galaxy:intelligence-agency="Vojenské spravodajstvo"

Table 1992. Table References
Links
https://en.wikipedia.org/wiki/Vojensk%C3%A9_spravodajstvo

National Security Bureau (Slovakia)

National Security Bureau - Národný bezpečnostný úrad (NBÚ)

The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Slovakia)"

Table 1993. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Bureau_(Slovakia)

Slovenska Obveščevalno-Varnostna Agencija

Slovenian Intelligence and Security Agency - Slovenska Obveščevalno-Varnostna Agencija (SOVA)

The tag is: misp-galaxy:intelligence-agency="Slovenska Obveščevalno-Varnostna Agencija"

Table 1994. Table References
Links
https://en.wikipedia.org/wiki/Slovenska_Obve%C5%A1%C4%8Devalno-Varnostna_Agencija

Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]

The tag is: misp-galaxy:intelligence-agency="Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]"

Table 1995. Table References
Links
https://en.wikipedia.org#cite_note-26

General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]

The tag is: misp-galaxy:intelligence-agency="General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]"

Table 1996. Table References
Links
https://en.wikipedia.org#cite_note-27

National Intelligence and Security Agency

National Intelligence and Security Agency (NISA)

The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Agency"

Table 1997. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Agency

State Security Agency (South Africa)

State Security Agency (SSA)

The tag is: misp-galaxy:intelligence-agency="State Security Agency (South Africa)"

Table 1998. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Agency_(South_Africa)

South African National Defence Force Intelligence Division

South African National Defence Force, Intelligence Division (SANDF-ID)

The tag is: misp-galaxy:intelligence-agency="South African National Defence Force Intelligence Division"

Table 1999. Table References
Links
https://en.wikipedia.org/wiki/South_African_National_Defence_Force_Intelligence_Division

Crime Intelligence (SAPS)

Crime Intelligence Division, South African Police Service

The tag is: misp-galaxy:intelligence-agency="Crime Intelligence (SAPS)"

Table 2000. Table References
Links
https://en.wikipedia.org/wiki/Crime_Intelligence_(SAPS)

National Intelligence Service (South Korea)

National Intelligence Service (NIS)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (South Korea)"

Table 2001. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Service_(South_Korea)

Defense Intelligence Agency (South Korea)

Defense Intelligence Agency (DIA)

The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Agency (South Korea)"

Table 2002. Table References
Links
https://en.wikipedia.org/wiki/Defense_Intelligence_Agency_(South_Korea)

Defence Intelligence Command (page does not exist)

Defence Intelligence Command [ko] (DIC)

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Command (page does not exist)"

Table 2003. Table References
Links
https://en.wikipedia.org/w/index.php?title=Defence_Intelligence_Command&action=edit&redlink=1

Defense Security Support Command (page does not exist)

Defense Security Support Command [ko] (DSSC)

The tag is: misp-galaxy:intelligence-agency="Defense Security Support Command (page does not exist)"

Table 2004. Table References
Links
https://en.wikipedia.org/w/index.php?title=Defense_Security_Support_Command&action=edit&redlink=1

Department of Homeland Security (Spain)

Department of Homeland Security (DSN)

The tag is: misp-galaxy:intelligence-agency="Department of Homeland Security (Spain)"

Table 2005. Table References
Links
https://en.wikipedia.org/wiki/Department_of_Homeland_Security_(Spain)

National Cryptologic Center

National Cryptologic Center - (Centro Criptológico Nacional) (CCN)

The tag is: misp-galaxy:intelligence-agency="National Cryptologic Center"

Table 2006. Table References
Links
https://en.wikipedia.org/wiki/National_Cryptologic_Center

Spanish Armed Forces Intelligence Center

Armed Forces Intelligence Center (CIFAS)

The tag is: misp-galaxy:intelligence-agency="Spanish Armed Forces Intelligence Center"

Table 2007. Table References
Links
https://en.wikipedia.org/wiki/Spanish_Armed_Forces_Intelligence_Center

Joint Cyberspace Command

Joint Cyberspace Command (MCCE)

The tag is: misp-galaxy:intelligence-agency="Joint Cyberspace Command"

Table 2008. Table References
Links
https://en.wikipedia.org/wiki/Joint_Cyberspace_Command

Centro de Inteligencia contra el Terrorismo y el Crimen Organizado

Intelligence Center for Counter-Terrorism and Organized Crime - (Centro de Inteligencia contra el Terrorismo y el Crimen Organizado) (CITCO)

The tag is: misp-galaxy:intelligence-agency="Centro de Inteligencia contra el Terrorismo y el Crimen Organizado"

Table 2009. Table References
Links
https://en.wikipedia.org/wiki/Centro_de_Inteligencia_contra_el_Terrorismo_y_el_Crimen_Organizado

Brigada de Investigación Tecnológica

Technological Research Brigade (BIT)

The tag is: misp-galaxy:intelligence-agency="Brigada de Investigación Tecnológica"

Table 2010. Table References
Links
https://en.wikipedia.org/wiki/Brigada_de_Investigaci%C3%B3n_Tecnol%C3%B3gica

General Commissariat of Information

General Commissariat of Information - (Comisaría General de la Información) (CGI)

The tag is: misp-galaxy:intelligence-agency="General Commissariat of Information"

Table 2011. Table References
Links
https://en.wikipedia.org/wiki/General_Commissariat_of_Information

General Commissariat of Judiciary Police

General Commissariat of Judiciary Police - (Comisaría General de Policía Judicial) (CGPJ)

The tag is: misp-galaxy:intelligence-agency="General Commissariat of Judiciary Police"

Table 2012. Table References
Links
https://en.wikipedia.org/wiki/General_Commissariat_of_Judiciary_Police

State Intelligence Service (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="State Intelligence Service (Sri Lanka)"

Table 2013. Table References
Links
https://en.wikipedia.org/wiki/State_Intelligence_Service_(Sri_Lanka)

Special Branch (Sri Lanka)

Special Branch

The tag is: misp-galaxy:intelligence-agency="Special Branch (Sri Lanka)"

Terrorist Investigation Division

The tag is: misp-galaxy:intelligence-agency="Terrorist Investigation Division"

Criminal Investigation Department (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Sri Lanka)"

Table 2014. Table References
Links
https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Sri_Lanka)

Financial Crimes Investigation Division

The tag is: misp-galaxy:intelligence-agency="Financial Crimes Investigation Division"

Table 2015. Table References
Links
https://en.wikipedia.org/wiki/Financial_Crimes_Investigation_Division

Directorate of Military Intelligence (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence (Sri Lanka)"

Table 2016. Table References
Links
https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence_(Sri_Lanka)

Military Intelligence Corps (Sri Lanka)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Corps (Sri Lanka)"

Table 2017. Table References
Links
https://en.wikipedia.org/wiki/Military_Intelligence_Corps_(Sri_Lanka)

Department of Naval Intelligence

The tag is: misp-galaxy:intelligence-agency="Department of Naval Intelligence"

Directorate of Air Intelligence

The tag is: misp-galaxy:intelligence-agency="Directorate of Air Intelligence"

Financial Intelligence Unit (Sri Lanka),

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Sri Lanka),"

General Intelligence Service (Sudan)

General Intelligence Service

The tag is: misp-galaxy:intelligence-agency="General Intelligence Service (Sudan)"

Table 2018. Table References
Links
https://en.wikipedia.org/wiki/General_Intelligence_Service_(Sudan)

Kontoret för särskild inhämtning

Office for Special Acquisition – Kontoret för särskild inhämtning (KSI)

The tag is: misp-galaxy:intelligence-agency="Kontoret för särskild inhämtning"

Table 2019. Table References
Links
https://en.wikipedia.org/wiki/Kontoret_f%C3%B6r_s%C3%A4rskild_inh%C3%A4mtning

National Defence Radio Establishment

National Defence Radio Establishment – Försvarets Radioanstalt (FRA)

The tag is: misp-galaxy:intelligence-agency="National Defence Radio Establishment"

Table 2020. Table References
Links
https://en.wikipedia.org/wiki/National_Defence_Radio_Establishment

Swedish Security Service

Swedish Security Service – Säkerhetspolisen (Säpo)

The tag is: misp-galaxy:intelligence-agency="Swedish Security Service"

Table 2021. Table References
Links
https://en.wikipedia.org/wiki/Swedish_Security_Service

Swiss intelligence agencies

Federal Intelligence Service - Nachrichtendienst des Bundes (NDB)

The tag is: misp-galaxy:intelligence-agency="Swiss intelligence agencies"

Table 2022. Table References
Links
https://en.wikipedia.org/wiki/Swiss_intelligence_agencies

Militärischer Nachrichtendienst

Military Intelligence Service - Militärischer Nachrichtendienst (MND)

The tag is: misp-galaxy:intelligence-agency="Militärischer Nachrichtendienst"

Table 2023. Table References
Links
https://en.wikipedia.org/wiki/Milit%C3%A4rischer_Nachrichtendienst

Air Force Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="Air Force Intelligence Directorate"

Table 2024. Table References
Links
https://en.wikipedia.org/wiki/Air_Force_Intelligence_Directorate

General Intelligence Directorate (Syria)

General Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="General Intelligence Directorate (Syria)"

Table 2025. Table References
Links
https://en.wikipedia.org/wiki/General_Intelligence_Directorate_(Syria)

Political Security Directorate

The tag is: misp-galaxy:intelligence-agency="Political Security Directorate"

Table 2026. Table References
Links
https://en.wikipedia.org/wiki/Political_Security_Directorate

Military Intelligence Directorate (Syria)

Military Intelligence Directorate

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Directorate (Syria)"

Table 2027. Table References
Links
https://en.wikipedia.org/wiki/Military_Intelligence_Directorate_(Syria)

National Security Bureau (Republic of China)

National Security Bureau (NSB)

The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Republic of China)"

Table 2028. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Bureau_(Republic_of_China)

Bureau of Investigation (Taiwan)

Investigation Bureau (MJIB)

The tag is: misp-galaxy:intelligence-agency="Bureau of Investigation (Taiwan)"

Table 2029. Table References
Links
https://en.wikipedia.org/wiki/Bureau_of_Investigation_(Taiwan)

National Police Agency of the ROC (Taiwan)

National Police Agency (NPA)

The tag is: misp-galaxy:intelligence-agency="National Police Agency of the ROC (Taiwan)"

Table 2030. Table References
Links
https://en.wikipedia.org/wiki/National_Police_Agency_of_the_ROC_(Taiwan)

Republic of China Military Police

Military Police Command (ROCMP)

The tag is: misp-galaxy:intelligence-agency="Republic of China Military Police"

Table 2031. Table References
Links
https://en.wikipedia.org/wiki/Republic_of_China_Military_Police

Bureau of Military Intelligence

Military Intelligence Bureau (MIB)

The tag is: misp-galaxy:intelligence-agency="Bureau of Military Intelligence"

Table 2032. Table References
Links
https://en.wikipedia.org/wiki/Bureau_of_Military_Intelligence

State Committee for National Security (Tajikistan)

State Committee for National Security (SCNS) – Кумитаи давлатии амнияти милли (КДАМ)/Государственный комитет национальной безопасности (ГКНБ)

The tag is: misp-galaxy:intelligence-agency="State Committee for National Security (Tajikistan)"

Table 2033. Table References
Links
https://en.wikipedia.org/wiki/State_Committee_for_National_Security_(Tajikistan)

Tanzania Intelligence and Security Service

Tanzania Intelligence and Security Service (TISS)

The tag is: misp-galaxy:intelligence-agency="Tanzania Intelligence and Security Service"

Table 2034. Table References
Links
https://en.wikipedia.org/wiki/Tanzania_Intelligence_and_Security_Service

News Division

The tag is: misp-galaxy:intelligence-agency="News Division"

Internal Security Affairs Bureau (ISAB)

The tag is: misp-galaxy:intelligence-agency="Internal Security Affairs Bureau (ISAB)"

Bureau of Intelligence (BI)

The tag is: misp-galaxy:intelligence-agency="Bureau of Intelligence (BI)"

Intelligence Bureau (IB)

The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (IB)"

Armed Forces Security Center (AFSC)

The tag is: misp-galaxy:intelligence-agency="Armed Forces Security Center (AFSC)"

Army Military Intelligence Command (AMIC)

The tag is: misp-galaxy:intelligence-agency="Army Military Intelligence Command (AMIC)"

Department of Border Affair (DBA)

The tag is: misp-galaxy:intelligence-agency="Department of Border Affair (DBA)"

Directorate of Joint Intelligence (DJI)

The tag is: misp-galaxy:intelligence-agency="Directorate of Joint Intelligence (DJI)"

Directorate of Intelligence Royal Thai Army (DINTRTA)

The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence Royal Thai Army (DINTRTA)"

Directorate of Intelligence, RTAF (INTELLRTAF)

The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence, RTAF (INTELLRTAF)"

Naval Intelligence Department (NID)

The tag is: misp-galaxy:intelligence-agency="Naval Intelligence Department (NID)"

Financial Intelligence Division (FID)

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Division (FID)"

Internal Security Operations Command

Internal Security Operations Command (ISOC)

The tag is: misp-galaxy:intelligence-agency="Internal Security Operations Command"

Table 2035. Table References
Links
https://en.wikipedia.org/wiki/Internal_Security_Operations_Command

National Intelligence Agency (Thailand)

National Intelligence Agency (NIA)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Thailand)"

Table 2036. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Thailand)

National Intelligence Cooperating Center (NICC)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Cooperating Center (NICC)"

Drug Intelligence Division (DID)

The tag is: misp-galaxy:intelligence-agency="Drug Intelligence Division (DID)"

Special Branch Bureau

Special Branch Bureau (SBB)

The tag is: misp-galaxy:intelligence-agency="Special Branch Bureau"

Table 2037. Table References
Links
https://en.wikipedia.org/wiki/Special_Branch_Bureau

Strategic Services Agency (SSA)[28]

The tag is: misp-galaxy:intelligence-agency="Strategic Services Agency (SSA)[28]"

Table 2038. Table References
Links
https://en.wikipedia.org#cite_note-28

Organised Crime and Intelligence Unit[30]

The tag is: misp-galaxy:intelligence-agency="Organised Crime and Intelligence Unit[30]"

Table 2039. Table References
Links
https://en.wikipedia.org#cite_note-30

Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]

The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]"

Table 2040. Table References
Links
https://en.wikipedia.org#cite_note-31

National Intelligence Organization (Turkey)

National Intelligence Organization (MİT)

The tag is: misp-galaxy:intelligence-agency="National Intelligence Organization (Turkey)"

Table 2041. Table References
Links
https://en.wikipedia.org/wiki/National_Intelligence_Organization_(Turkey)

Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)

Department of Smuggling, Intelligence, Operations and Information Collection (intelligence coordination)

The tag is: misp-galaxy:intelligence-agency="Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)"

Table 2042. Table References
Links
https://en.wikipedia.org/w/index.php?title=Department_of_Smuggling

Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)

Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (Intelligence Directorate)

The tag is: misp-galaxy:intelligence-agency="Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)"

Table 2043. Table References
Links
https://en.wikipedia.org/w/index.php?title=Emniyet_Genel_M%C3%BCd%C3%BCrl%C3%BC%C4%9F%C3%BC_%C4%B0stihbarat_Ba%C5%9Fkanl%C4%B1%C4%9F%C4%B1&action=edit&redlink=1

Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)

Terörle Mücadele Dairesi Başkanlığı(TEM) (Anti-Terrorism Department)

The tag is: misp-galaxy:intelligence-agency="Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)"

Table 2044. Table References
Links
https://en.wikipedia.org/w/index.php?title=Ter%C3%B6rle_M%C3%BCcadele_Dairesi_Ba%C5%9Fkanl%C4%B1%C4%9F%C4%B1(TEM)&action=edit&redlink=1

Gendarmerie Intelligence Directorate (page does not exist)

Gendarmerie Intelligence Directorate (law enforcement)

The tag is: misp-galaxy:intelligence-agency="Gendarmerie Intelligence Directorate (page does not exist)"

Table 2045. Table References
Links
https://en.wikipedia.org/w/index.php?title=Gendarmerie_Intelligence_Directorate&action=edit&redlink=1

Coast Guard Intelligence Directorate (page does not exist)

Coast Guard Intelligence Directorate (law enforcement)

The tag is: misp-galaxy:intelligence-agency="Coast Guard Intelligence Directorate (page does not exist)"

Table 2046. Table References
Links
https://en.wikipedia.org/w/index.php?title=Coast_Guard_Intelligence_Directorate&action=edit&redlink=1

General Staff Intelligence Directorate (page does not exist)

General Staff Intelligence Directorate (military intelligence)

The tag is: misp-galaxy:intelligence-agency="General Staff Intelligence Directorate (page does not exist)"

Table 2047. Table References
Links
https://en.wikipedia.org/w/index.php?title=General_Staff_Intelligence_Directorate&action=edit&redlink=1

Army Intelligence Department (page does not exist)

Army Intelligence Department (military intelligence)

The tag is: misp-galaxy:intelligence-agency="Army Intelligence Department (page does not exist)"

Table 2048. Table References
Links
https://en.wikipedia.org/w/index.php?title=Army_Intelligence_Department&action=edit&redlink=1

Navy Intelligence Department (page does not exist)

navy Intelligence Department (military intelligence)

The tag is: misp-galaxy:intelligence-agency="Navy Intelligence Department (page does not exist)"

Table 2049. Table References
Links
https://en.wikipedia.org/w/index.php?title=Navy_Intelligence_Department&action=edit&redlink=1

Air Force Intelligence Department (page does not exist)

Air Force Intelligence Department (military intelligence)

The tag is: misp-galaxy:intelligence-agency="Air Force Intelligence Department (page does not exist)"

Table 2050. Table References
Links
https://en.wikipedia.org/w/index.php?title=Air_Force_Intelligence_Department&action=edit&redlink=1

Ministry for National Security (Turkmenistan)

Ministry for National Security (MNS)

The tag is: misp-galaxy:intelligence-agency="Ministry for National Security (Turkmenistan)"

Table 2051. Table References
Links
https://en.wikipedia.org/wiki/Ministry_for_National_Security_(Turkmenistan)

Chief directorate of intelligence of the Ministry of Defence of Ukraine

Central Intelligence Directorate – Holovne Upravlinnya Rozvidky (HUR)

The tag is: misp-galaxy:intelligence-agency="Chief directorate of intelligence of the Ministry of Defence of Ukraine"

Table 2052. Table References
Links
https://en.wikipedia.org/wiki/Chief_directorate_of_intelligence_of_the_Ministry_of_Defence_of_Ukraine

Foreign Intelligence Service of Ukraine

Foreign Intelligence Service of Ukraine – Sluzhba Zovnishnioyi Rozvidky Ukrayiny (SZR or SZRU)

The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service of Ukraine"

Table 2053. Table References
Links
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_of_Ukraine

State Bureau of Investigation (Ukraine)

State Bureau of Investigation – Derzhavne Biuro Rozsliduvan (DBR)

The tag is: misp-galaxy:intelligence-agency="State Bureau of Investigation (Ukraine)"

Table 2054. Table References
Links
https://en.wikipedia.org/wiki/State_Bureau_of_Investigation_(Ukraine)

Security Service of Ukraine

Security Service of Ukraine – Sluzhba Bezpeky Ukrayiny (SBU)

The tag is: misp-galaxy:intelligence-agency="Security Service of Ukraine"

Table 2055. Table References
Links
https://en.wikipedia.org/wiki/Security_Service_of_Ukraine

Signals Intelligence Agency

Signals Intelligence Agency (SIA)

The tag is: misp-galaxy:intelligence-agency="Signals Intelligence Agency"

Table 2056. Table References
Links
https://en.wikipedia.org/wiki/Signals_Intelligence_Agency

Joint Intelligence Organisation (United Kingdom)

Joint Intelligence Organisation (JIO)[32] – Joint intelligence analysis.

The tag is: misp-galaxy:intelligence-agency="Joint Intelligence Organisation (United Kingdom)"

Table 2057. Table References
Links
https://en.wikipedia.org/wiki/Joint_Intelligence_Organisation_(United_Kingdom)

MI5

Security Service/MI5[33] – Domestic counter terrorism and counter espionage intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="MI5"

Table 2058. Table References
Links
https://en.wikipedia.org/wiki/MI5

Office for Security and Counter-Terrorism

Office for Security and Counter-Terrorism (OSCT) – Counter terrorism and protecting critical national infrastructure.

The tag is: misp-galaxy:intelligence-agency="Office for Security and Counter-Terrorism"

Table 2059. Table References
Links
https://en.wikipedia.org/wiki/Office_for_Security_and_Counter-Terrorism

National Domestic Extremism and Disorder Intelligence Unit

National Domestic Extremism and Disorder Intelligence Unit (NDEDIU)[34] – Domestic counter extremism and public disorder intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="National Domestic Extremism and Disorder Intelligence Unit"

Table 2060. Table References
Links
https://en.wikipedia.org/wiki/National_Domestic_Extremism_and_Disorder_Intelligence_Unit

National Ballistics Intelligence Service

National Ballistics Intelligence Service (NBIS)[35] – Illegal firearms intelligence analysis.

The tag is: misp-galaxy:intelligence-agency="National Ballistics Intelligence Service"

Table 2061. Table References
Links
https://en.wikipedia.org/wiki/National_Ballistics_Intelligence_Service

National Fraud Intelligence Bureau

National Fraud Intelligence Bureau (NFIB)[36] – Economic crime intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="National Fraud Intelligence Bureau"

Table 2062. Table References
Links
https://en.wikipedia.org/wiki/National_Fraud_Intelligence_Bureau

Secret Intelligence Service

Secret Intelligence Service (SIS)/MI6[37] – Foreign intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="Secret Intelligence Service"

Table 2063. Table References
Links
https://en.wikipedia.org/wiki/Secret_Intelligence_Service

Defence Intelligence

Defence Intelligence (DI)[38] – Military intelligence analysis.

The tag is: misp-galaxy:intelligence-agency="Defence Intelligence"

Table 2064. Table References
Links
https://en.wikipedia.org/wiki/Defence_Intelligence

Government Communications Headquarters

Government Communications Headquarters (GCHQ)[39] – Signals intelligence gathering and analysis.

The tag is: misp-galaxy:intelligence-agency="Government Communications Headquarters"

Table 2065. Table References
Links
https://en.wikipedia.org/wiki/Government_Communications_Headquarters

National Crime Agency

National Crime Agency (NCA)[40] – Organised crime intelligence gathering and analysis. Agency utilizes Unexplained wealth orders and the Investigatory Powers Act 2016.[41][42] NCA officers are posted overseas in around 50 countries.[43] They operate the UK Protected Persons Service, which includes witness protection.[44]

The tag is: misp-galaxy:intelligence-agency="National Crime Agency"

Table 2066. Table References
Links
https://en.wikipedia.org/wiki/National_Crime_Agency

Gangmasters and Labour Abuse Authority

Gangmasters and Labour Abuse Authority - Human trafficking, slavery, economic, and serious organised crime.

The tag is: misp-galaxy:intelligence-agency="Gangmasters and Labour Abuse Authority"

Table 2067. Table References
Links
https://en.wikipedia.org/wiki/Gangmasters_and_Labour_Abuse_Authority

Director of National Intelligence

Office of the Director of National Intelligence (ODNI)

The tag is: misp-galaxy:intelligence-agency="Director of National Intelligence"

Table 2068. Table References
Links
https://en.wikipedia.org/wiki/Director_of_National_Intelligence

Central Intelligence Agency

Central Intelligence Agency (CIA)

The tag is: misp-galaxy:intelligence-agency="Central Intelligence Agency"

Table 2069. Table References
Links
https://en.wikipedia.org/wiki/Central_Intelligence_Agency

Defense Intelligence Agency

Defense Intelligence Agency (DIA)

The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Agency"

Table 2070. Table References
Links
https://en.wikipedia.org/wiki/Defense_Intelligence_Agency

National Security Agency

National Security Agency (NSA)

The tag is: misp-galaxy:intelligence-agency="National Security Agency"

Table 2071. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Agency

National Geospatial-Intelligence Agency

National Geospatial-Intelligence Agency (NGA)

The tag is: misp-galaxy:intelligence-agency="National Geospatial-Intelligence Agency"

Table 2072. Table References
Links
https://en.wikipedia.org/wiki/National_Geospatial-Intelligence_Agency

National Reconnaissance Office

National Reconnaissance Office (NRO)

The tag is: misp-galaxy:intelligence-agency="National Reconnaissance Office"

Table 2073. Table References
Links
https://en.wikipedia.org/wiki/National_Reconnaissance_Office

Military Intelligence Corps (United States Army)

Military Intelligence Corps (MIC)

The tag is: misp-galaxy:intelligence-agency="Military Intelligence Corps (United States Army)"

Table 2074. Table References
Links
https://en.wikipedia.org/wiki/Military_Intelligence_Corps_(United_States_Army)

Marine Corps Intelligence

Marine Corps Intelligence (MCI)

The tag is: misp-galaxy:intelligence-agency="Marine Corps Intelligence"

Table 2075. Table References
Links
https://en.wikipedia.org/wiki/Marine_Corps_Intelligence

Office of Naval Intelligence

Office of Naval Intelligence (ONI)

The tag is: misp-galaxy:intelligence-agency="Office of Naval Intelligence"

Table 2076. Table References
Links
https://en.wikipedia.org/wiki/Office_of_Naval_Intelligence

Sixteenth Air Force

Sixteenth Air Force (16 AF)

The tag is: misp-galaxy:intelligence-agency="Sixteenth Air Force"

Table 2077. Table References
Links
https://en.wikipedia.org/wiki/Sixteenth_Air_Force

Space Delta 18

Space Delta 18 (DEL 18)

The tag is: misp-galaxy:intelligence-agency="Space Delta 18"

Table 2078. Table References
Links
https://en.wikipedia.org/wiki/Space_Delta_18

Office of Intelligence and Counterintelligence

Office of Intelligence and Counterintelligence (OICI)

The tag is: misp-galaxy:intelligence-agency="Office of Intelligence and Counterintelligence"

Table 2079. Table References
Links
https://en.wikipedia.org/wiki/Office_of_Intelligence_and_Counterintelligence

Coast Guard Intelligence

Coast Guard Intelligence (CGI)

The tag is: misp-galaxy:intelligence-agency="Coast Guard Intelligence"

Table 2080. Table References
Links
https://en.wikipedia.org/wiki/Coast_Guard_Intelligence

DHS Office of Intelligence and Analysis

DHS Office of Intelligence and Analysis (I&A)

The tag is: misp-galaxy:intelligence-agency="DHS Office of Intelligence and Analysis"

Table 2081. Table References
Links
https://en.wikipedia.org/wiki/DHS_Office_of_Intelligence_and_Analysis

DEA Office of National Security Intelligence

DEA Office of National Security Intelligence (ONSI)

The tag is: misp-galaxy:intelligence-agency="DEA Office of National Security Intelligence"

Table 2082. Table References
Links
https://en.wikipedia.org/wiki/DEA_Office_of_National_Security_Intelligence

FBI Intelligence Branch

FBI Intelligence Branch (IB)

The tag is: misp-galaxy:intelligence-agency="FBI Intelligence Branch"

Table 2083. Table References
Links
https://en.wikipedia.org/wiki/FBI_Intelligence_Branch

Bureau of Intelligence and Research

Bureau of Intelligence and Research (IR)

The tag is: misp-galaxy:intelligence-agency="Bureau of Intelligence and Research"

Table 2084. Table References
Links
https://en.wikipedia.org/wiki/Bureau_of_Intelligence_and_Research

Office of Terrorism and Financial Intelligence

Office of Terrorism and Financial Intelligence (TFI)

The tag is: misp-galaxy:intelligence-agency="Office of Terrorism and Financial Intelligence"

Table 2085. Table References
Links
https://en.wikipedia.org/wiki/Office_of_Terrorism_and_Financial_Intelligence

es:Secretaría de Inteligencia Estratégica de Estado

State Secretariat of Strategic Intelligence - Secretaría de Inteligencia Estratégica de Estado (SIEE)

The tag is: misp-galaxy:intelligence-agency="es:Secretaría de Inteligencia Estratégica de Estado"

es:Secretaría de Inteligencia Estratégica de Estado is also known as:

Secretaría de Inteligencia Estratégica de Estado

Table 2086. Table References
Links
https://en.wikipedia.orghttps://es.wikipedia.org/wiki/Secretar%C3%ADa_de_Inteligencia_Estrat%C3%A9gica_de_Estado

National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)

The tag is: misp-galaxy:intelligence-agency="National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)"

State Security Service (Uzbekistan)

State Security Service - Davlat Xavfsizlik Xizmati (DXX)/ Служба государственной безопасности (СГБ)

The tag is: misp-galaxy:intelligence-agency="State Security Service (Uzbekistan)"

Table 2087. Table References
Links
https://en.wikipedia.org/wiki/State_Security_Service_(Uzbekistan)

Bolivarian National Intelligence Service

Bolivarian National Intelligence Service - Servicio Bolivariano de Inteligencia (SEBIN)

The tag is: misp-galaxy:intelligence-agency="Bolivarian National Intelligence Service"

Table 2088. Table References
Links
https://en.wikipedia.org/wiki/Bolivarian_National_Intelligence_Service

Dirección General de Contrainteligencia Militar

Directorate General of Military Intelligence – Dirección General de Contrainteligencia Militar (DGCIM)

The tag is: misp-galaxy:intelligence-agency="Dirección General de Contrainteligencia Militar"

Table 2089. Table References
Links
https://en.wikipedia.org/wiki/Direcci%C3%B3n_General_de_Contrainteligencia_Militar

General Department of Military Intelligence

General Department of Defence Intelligence (GDDI)/General Department II - Tổng cục Tình báo Quốc phòng (TBQP)/Tổng cục II (TC2)

The tag is: misp-galaxy:intelligence-agency="General Department of Military Intelligence"

Table 2090. Table References
Links
https://en.wikipedia.org/wiki/General_Department_of_Military_Intelligence

Political Security Organization

Political Security Organization (PSO)

The tag is: misp-galaxy:intelligence-agency="Political Security Organization"

Table 2091. Table References
Links
https://en.wikipedia.org/wiki/Political_Security_Organization

National Security Bureau (Yemen)

National Security Bureau (NSB)

The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Yemen)"

Table 2092. Table References
Links
https://en.wikipedia.org/wiki/National_Security_Bureau_(Yemen)

Central Intelligence Organisation

Central Intelligence Organisation (CIO)

The tag is: misp-galaxy:intelligence-agency="Central Intelligence Organisation"

Table 2093. Table References
Links
https://en.wikipedia.org/wiki/Central_Intelligence_Organisation

Counter Terrorism Group

Counter Terrorism Group (CTG)

The tag is: misp-galaxy:intelligence-agency="Counter Terrorism Group"

Table 2094. Table References
Links
https://en.wikipedia.org/wiki/Counter_Terrorism_Group

European Union Military Staff

European Union Military Staff (EUMS)

The tag is: misp-galaxy:intelligence-agency="European Union Military Staff"

Table 2095. Table References
Links
https://en.wikipedia.org/wiki/European_Union_Military_Staff

European Union Satellite Centre

European Union Satellite Centre (EU SatCen)

The tag is: misp-galaxy:intelligence-agency="European Union Satellite Centre"

Table 2096. Table References
Links
https://en.wikipedia.org/wiki/European_Union_Satellite_Centre

Regional Anti-Terrorist Structure

Regional Anti-Terrorist Structure (RATS)

The tag is: misp-galaxy:intelligence-agency="Regional Anti-Terrorist Structure"

Table 2097. Table References
Links
https://en.wikipedia.org/wiki/Regional_Anti-Terrorist_Structure

INTERPOL DWVA Taxonomy

This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems..

INTERPOL DWVA Taxonomy is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: INTERPOL Darkweb and Virtual Assets Working Group

Decentralized Apps

An application that does not rely on a central server but on several decentralized nodes. Each user can choose to be an active node serving the app.

The tag is: misp-galaxy:dwva="Decentralized Apps"

Hardware Wallet

A [hardware] cryptocurrency wallet is a device, physical medium, (…) which stores the private keys for cryptocurrency transactions. It will normally also contain the associated public keys.

The tag is: misp-galaxy:dwva="Hardware Wallet"

Distributed Hash Technology

A decentralized distributed system that provides sharing contact information, so people downloading the same file can discover each other. Both Tor and I2P use DHT. Due to the distributed nature of the hidden services domain resolution, it is possible to deploy nodes in the DHT to monitor requests coming from a given domain.

The tag is: misp-galaxy:dwva="Distributed Hash Technology"

Bitcoin

Bitcoin is a network protocol based on blockchain, introduced by Nakamoto [11] which allows payments and coin transfers to be made among participating entities. No trusted

The tag is: misp-galaxy:dwva="Bitcoin"

Counterfeit product

Counterfeit consumer goods are goods, often of inferior quality, made or sold under another’s brand name without the brand owner’s authorization.

The tag is: misp-galaxy:dwva="Counterfeit product"

Shop owner

A shop owner is an actor within the group of Criminal Actors; operating a DW shop.

The tag is: misp-galaxy:dwva="Shop owner"

Hierarchically Deterministic wallets

An HD (Hierarchical Deterministic) Wallet is a tree of private/public keypairs starting from a master seed. This technology provides both account management and identity masking. A user only needs to keep the master seeds because she can generate following keypairs from the root key deterministically, and each public key that can be exposed is changed for each transaction.

The tag is: misp-galaxy:dwva="Hierarchically Deterministic wallets"

Non Fungible Token

A non-fungible token (NFT) is a unit of data stored on a digital ledger, called a blockchain, that certifies a digital asset to be unique and therefore not interchangeable. NFTs can be used to represent items such as photos, videos, audio, and other types of digital files.

The tag is: misp-galaxy:dwva="Non Fungible Token"

Table 2098. Table References
Links
https://en.wikipedia.org/wiki/Non-fungible_token

Bulletproof Hosting

A (hosting) service that guarantees the availability of hosted resources even when they are found to be malicious or illegal.

The tag is: misp-galaxy:dwva="Bulletproof Hosting"

Darknet Wiki

Wiki services, including directory services for other hidden services, hosted in the Dark Web.

The tag is: misp-galaxy:dwva="Darknet Wiki"

Proof of Stake

In a Proof of Stake (PoS) network, users need to prove ownership of enough stakes to become validators. Ethereum (ETH) is moving from PoW to PoS. PoS offers several advantages over PoW: it is energy efficient, reduces hardware requirements and is less prone to centralisation

The tag is: misp-galaxy:dwva="Proof of Stake"

Multisig

Multisig refers to all the transactions that require two or more signatures. Multisignature transactions and addresses are validated only when at least x of the possible y signatories have signed. x and y are defined at creation.

The tag is: misp-galaxy:dwva="Multisig"

Zcash

A cryptocurrency with a decentralized Blockchain that provides anonymity for its users and their transactions. It is similar to Bitcoin as an open-source, but their major differences are the increased level of privacy it provides.

The tag is: misp-galaxy:dwva="Zcash"

Finalize Early

Buyers may "finalize early" (FE), releasing funds from escrow to the vendor prior to receiving their goods in order to expedite a transaction. This can be done when there is a trust relationship between vendor and buyer, however it does leave the buyer vulnerable to fraud if they choose to do so.

The tag is: misp-galaxy:dwva="Finalize Early"

Coin swapping

CoinSwap is a protocol to make a transaction via a third party to obfuscate the money flow. For instance, when Alice would like to pay Bob, Carol offers to receive Alice’s coin and pay Bob with an unconnected coin. While none of these parties trusts each other, this protocol does not allow Carol to rob Alice’s coin.

The tag is: misp-galaxy:dwva="Coin swapping"

Ripple

Ripple is a real-time gross settlement system, currency exchange and remittance network created by Ripple Labs Inc., a US-based technology company. (…) The ledger employs the native cryptocurrency known as XRP.

The tag is: misp-galaxy:dwva="Ripple"

Vendor

Someone who is selling something.

The tag is: misp-galaxy:dwva="Vendor"

Table 2099. Table References
Links
https://dictionary.cambridge.org/dictionary/english/vendor

Initial Coin Offering / Initial Crypto-Tokens Offering

Initial Coin Offerings (ICO) are public offers of new cryptocurrencies in exchange of existing ones, aimed to finance projects in the blockchain development arena. The typical pattern is for a startup to produce a white paper that describes their business model and technical approach. The white paper includes details about the functions that the tokens issued during the ICO will perform and the process of token creation.

The tag is: misp-galaxy:dwva="Initial Coin Offering / Initial Crypto-Tokens Offering"

Layer 2

Layer 2 is a collective term for solutions designed to help scale decentralised applications by handling transactions off the Ethereum mainnet (layer 1), while taking advantage of the robust decentralized security model of mainnet.

The tag is: misp-galaxy:dwva="Layer 2"

Table 2100. Table References
Links
https://ethereum.org/en/developers/docs/scaling/layer-2-rollups

Virtual Asset Service Provider

Virtual asset service provider means any natural or legal person who (…) as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i) exchange between virtual assets and fiat currencies; ii) exchange between one or more forms of virtual assets; iii) transfer of virtual assets; iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The tag is: misp-galaxy:dwva="Virtual Asset Service Provider"

Decentralized Exchange

Same as exchange but in a completely distributed environment. There is no central hosting server and all nodes are servers.

The tag is: misp-galaxy:dwva="Decentralized Exchange"

Metadata

Refers to data that provides information about a certain item’s content. For example, an image may include information that describes how large the picture is or when the image was created, while a text document may contain information about the author of the document, or the IP address of the document’s author, and so on.

The tag is: misp-galaxy:dwva="Metadata"

Exit scam

An exit scam can be performed by a dark net martket or single vendor shop and is the process in which the one or more of the market admins prevents users withdrawing funds through the escrow system and then closes the market, exiting with all the bitcoins and other digital currencies they were holding in escrow.

The tag is: misp-galaxy:dwva="Exit scam"

Smart contract

A smart contract is a self-executing contract with the terms of the agreement between buyer and seller being directly written into lines of code. The code and the agreements contained therein exist across a distributed, decentralized blockchain network. The code controls the execution, and transactions are trackable and irreversible.

The tag is: misp-galaxy:dwva="Smart contract"

Service Provider

An actor that provides a service by making available and managing infrastructure or by executing a process

The tag is: misp-galaxy:dwva="Service Provider"

Administrator

An actor whose job it is to supervise the technical operation of a service

The tag is: misp-galaxy:dwva="Administrator"

Virtual Asset

A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

The tag is: misp-galaxy:dwva="Virtual Asset "

Darknet Forum

Forum services hosted in the Dark Web.

The tag is: misp-galaxy:dwva="Darknet Forum"

Shop

A shop is a service where products from one actor (the shop owner) are traded.

The tag is: misp-galaxy:dwva="Shop"

Hosted wallet

A digital account hosted by third party financial institution, known as Virtual Asset Service Provider(VASP), which allows the account-holder (the user) to store, send, and receive cryptocurrency.

The tag is: misp-galaxy:dwva="Hosted wallet"

Table 2101. Table References
Links
https://home.treasury.gov/system/files/136/2020-12-18-FAQs.pdf

.Onion

A special-use top level domain name designating an anonymous onion service, which was formerly known as a "hidden service". It is referred to as that because of the “layered” approach to relays on the Tor Browser.

The tag is: misp-galaxy:dwva=".Onion"

Bridge

Blockchain bridges enable interoperability between vastly different networks, such as Bitcoin and Ethereum, and between one parent blockchain and its sidechains.

The tag is: misp-galaxy:dwva="Bridge"

Table 2102. Table References
Links
https://blog.makerdao.com/what-are-blockchain-bridges-and-why-are-they-important-for-defi/

Unhosted wallet

A wallet that is not hosted by a third-party financial system. It can be very difficult or impossible to determine who is accessing or in control of the use of cryptocurrencies in an unhosted wallet. Unhosted wallets allow for anonymity and concealment of illicit financial activity.

The tag is: misp-galaxy:dwva="Unhosted wallet"

Table 2103. Table References
Links
https://home.treasury.gov/system/files/136/2020-12-18-FAQs.pdf

Drop Ship

A vending tactic involving the vendor passing the buyer’s address on to another vendor to ship to, eliminating any need for the middleman (dropshipper) to handle anything illegal in person.

The tag is: misp-galaxy:dwva="Drop Ship"

Table 2104. Table References
Links
DNM Bible Glossary[DNM Bible Glossary]

Sidechain

A sidechain is a side blockchain that is linked to another blockchain, referred to as the main chain, via a two-way peg.

The tag is: misp-galaxy:dwva="Sidechain"

Table 2105. Table References
Links
https://coinmarketcap.com/alexandria/glossary/side-chain

Flash Loan

A cryptocurrency loan executed trough a smart contract, with no collateral, that must be paid back in the same block. The purpose of a flash loan is to gain money through arbitrage (on different exchanges or different assets) without providing any collateral.

The tag is: misp-galaxy:dwva="Flash Loan"

Table 2106. Table References
Links
https://www.coindesk.com/what-is-a-flash-loan

Escrow

An escrow is a contractual arrangement in which a third party (the stakeholder or escrow agent) receives and disburses money or property for the primary transacting parties, with the disbursement dependent on conditions agreed to by the transacting parties.

The tag is: misp-galaxy:dwva="Escrow"

Proof of Work

Bitcoin blockchain is constructed and validated by computation. Miners work to validate the blockchain with their computation power, proving their work for a reward. The Bitcoin Blockchain is based on Proof-of-Work.

The tag is: misp-galaxy:dwva="Proof of Work"

Tumbler

A method of scrambling or anonymizing the source of one’s cryptocurrencies.

The tag is: misp-galaxy:dwva="Tumbler"

Unspent Transaction Output

An unspent transaction output of cryptocurrencies. This output is considered as an input to new transaction.

The tag is: misp-galaxy:dwva="Unspent Transaction Output"

Crypto-assets

A crypto-asset (…) is a digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a ledger existing in a form of a computerized database using strong cryptography to secure transaction records, to control the creation of additional coins, and to verify the transfer of coin ownership.

The tag is: misp-galaxy:dwva="Crypto-assets"

Bitcoin cash

Bitcoin Cash is a cryptocurrency that is a fork of Bitcoin. Bitcoin Cash is a spin-off or altcoin that was created in 2017.

The tag is: misp-galaxy:dwva="Bitcoin cash"

FIAT currencies

Fiat money is a currency (a medium of exchange) established as money, often by government regulation. Fiat money does not have intrinsic value and does not have use value. It has value only because a government maintains its value, or because parties engaging in exchange agree on its value.

The tag is: misp-galaxy:dwva="FIAT currencies"

Crypto ATM

A Bitcoin ATM (Automated Teller Machine) is a kiosk that allows a person to purchase Bitcoin and other cryptocurrencies by using cash or debit card. Some types of ATM also allow users to sell their cryptocurrency, dispensing cash in payment. Depending on the provider, the ATM can require KYC verification.

The tag is: misp-galaxy:dwva="Crypto ATM"

Ethereum

Ethereum is a decentralized, open-source blockchain with smart contract functionality. Ether (ETH) is the native cryptocurrency of the platform. It is the second-largest cryptocurrency by market capitalization, after Bitcoin. Ethereum is the most actively used blockchain.

The tag is: misp-galaxy:dwva="Ethereum"

Yield farming

A process that lets you earn either fixed or variable interest by investing crypto in a DeFi market.

The tag is: misp-galaxy:dwva="Yield farming"

Table 2107. Table References
Links
https://decrypt.co/resources/what-is-yield-farming-beginners-guide

Invisible Internet Protocol

An “anonymous overlay network” using the garlic routing protocol that encrypts multiple messages together to make data traffic analysis difficult, while simultaneously increasing network traffic speed. Each encrypted message has its own specific delivery instruction, and each endpoint works as a cryptographic identifier or what we refer to as “keys.” Since I2P is entirely peer-to-peer in structure, there’s no hard-coded trusted set of directory stores. Instead, the network directory of I2P is netDb, a distributed database that is replicated across the network.

The tag is: misp-galaxy:dwva="Invisible Internet Protocol"

Regulator

Authority that defines (national) regulations

The tag is: misp-galaxy:dwva="Regulator"

Hidden Service

A collective name used to describe websites which require a special browser in order to access.

The tag is: misp-galaxy:dwva="Hidden Service"

Relay (node)

A relay is a node in the Tor network. When a request to access a particular hidden service is made, the browser calculates the optimal route through a series of relays, exchanging cryptographic keys between nodes, to display the content without disclosing the IP address of the request originator. Each relay decrypts a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing or knowing the source IP address.

The tag is: misp-galaxy:dwva="Relay (node)"

Bitcoin Improvement Proposals

Bitcoin improvement proposals, these are the equivalent of RFCs. They define the protocols and structures of Bitcoin. They are developed and maintained at the Bitcoin Github.

The tag is: misp-galaxy:dwva="Bitcoin Improvement Proposals"

Decentralized Finances

Smart Contracts on blockchains, DApps, mainly via the Ethereum technology and network. They are used to provide traditional financial services. The technology provides strong immunity against attackers and some level of anonymity and privacy. Transactions are confirmed relatively fast, but mostly lack KYC and AML compliance controls and offer limited to no user support and customer care. Current DeFi innovations include: Lending platforms; Prediction markets; Decentralised Exchange (DEXs); Staking and pooling platforms.

The tag is: misp-galaxy:dwva="Decentralized Finances"

Customer

The end user of a service. Customer would be paying for the services (buying good, using a service, owning an asset…).

The tag is: misp-galaxy:dwva="Customer"

Litecoin

Litecoin (LTC or Ł) is a peer-to-peer cryptocurrency and open-source software project released under the MIT/X11 license. Litecoin was an early bitcoin spinoff or altcoin, starting in October 2011. In technical details, Litecoin is nearly identical to Bitcoin.

The tag is: misp-galaxy:dwva="Litecoin"

Cyberterrorist

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation.

The tag is: misp-galaxy:dwva="Cyberterrorist"

Tether

Tether is a controversial cryptocurrency with tokens issued by Tether Limited. It formerly falsely claimed that each token was backed by one United States dollar, but on 14 March 2019 changed the backing to include loans to affiliate companies.

The tag is: misp-galaxy:dwva="Tether"

Bank

A bank is a financial institution that accepts deposits from the public and creates a demand deposit while simultaneously making loans.

The tag is: misp-galaxy:dwva="Bank"

Monero

An open-source cryptocurrency created in April 2014 that focuses on fungibility, privacy and decentralization. Monero (XMR) uses an obfuscated public ledger, meaning anybody can broadcast or send transactions, but no outside observer can tell the source, amount or destination.

The tag is: misp-galaxy:dwva="Monero"

Binance Coin

BNB powers the Binance Ecosystem. As the native coin of Binance Chain, BNB has multiple use cases: fueling transactions on the Chain, paying for transaction fees on Binance Exchange, making in-store payments, and many more.

The tag is: misp-galaxy:dwva="Binance Coin"

Invisible Internet protocol network

A type of anonymity network similar to Tor, based on the Invisible Internet Project protocol.

The tag is: misp-galaxy:dwva="Invisible Internet protocol network"

Darknet market

A darknet market is a commercial website on the web that operates via darknets such as Tor or I2P. They function primarily as black markets, selling or brokering transactions involving drugs, cyber-arms, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids, and other illicit goods as well as the sale of legal products.

The tag is: misp-galaxy:dwva="Darknet market"

Pretty Good Privacy

An abbreviation for Pretty Good Privacy, an encryption program popular for encrypting emails and files. Through the use of public and private keys, it allows users who have never met to send encrypted messages etc. to each other without exchanging private encryption keys.

The tag is: misp-galaxy:dwva="Pretty Good Privacy"

Takedown notice

Notice and take down is a process operated by online hosts in response to court orders or allegations that content is illegal. Content is removed by the host following notice.

The tag is: misp-galaxy:dwva="Takedown notice"

Victim

Someone or something that has been hurt, damaged, or killed or has suffered, either because of the actions of someone or something else, or because of illness or chance.

The tag is: misp-galaxy:dwva="Victim"

Table 2108. Table References
Links
https://dictionary.cambridge.org/dictionary/english/victim

Polkadot

Polkadot is a heterogeneous multi-chain interchange and translation architecture which enables customised side-chains to connect with public blockchains.

The tag is: misp-galaxy:dwva="Polkadot"

Bank credentials

The tag is: misp-galaxy:dwva="Bank credentials"

Money mule

A money mule, sometimes called a "smurfer," is a person who transfers money acquired illegally in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred.

The tag is: misp-galaxy:dwva="Money mule"

Internet Relay Chat

A text-based chat service enabling users connected to a server to communicate with each other in real-time.

The tag is: misp-galaxy:dwva="Internet Relay Chat"

Software wallet

A [software] cryptocurrency wallet is a (…) program or a service which stores the private keys for cryptocurrency transactions. It will normally also contain the associated public keys.

The tag is: misp-galaxy:dwva="Software wallet"

Cardano

Cardano is a public blockchain platform. It is open source and decentralized, with consensus achieved using proof of stake. It can facilitate peer-to-peer transactions with its internal cryptocurrency Ada.

The tag is: misp-galaxy:dwva="Cardano"

Dogecoin

Dogecoin (code: DOGE, symbol: Ð) is a cryptocurrency created by software engineers Billy Markus and Jackson Palmer, who decided to create a payment system that is instant, fun, and free from traditional banking fees.

The tag is: misp-galaxy:dwva="Dogecoin"

Exchange

Trading platform (commonly referred to as an “Exchange”) is the term within this paper used to describe any venue which facilitates the exchange of tokens for any form of money or asset. Trading platforms provide services to buy and sell tokens and/or for exchange of national (fiat) currencies backed by central banks.

The tag is: misp-galaxy:dwva="Exchange"

Blockchain

Blockchain is a distributed technology built under peer-to-peer network principles and cryptographic primitives, such as asymmetric encryption and digital signature. It allows trust-less users to exchange information and record transactions without external interference and coordination.

The tag is: misp-galaxy:dwva="Blockchain"

Darknet Email Service

Messaging services hosted or accessible via privacy enhanced networks.

The tag is: misp-galaxy:dwva="Darknet Email Service"

Credentials

A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so.

The tag is: misp-galaxy:dwva="Credentials"

Rug pull

A rug pull is a malicious maneuver in the cryptocurrency industry where crypto developers abandon a project and run away with investors’ funds

The tag is: misp-galaxy:dwva="Rug pull"

Table 2109. Table References
Links
https://coinmarketcap.com/alexandria/glossary/rug-pull

Moderator

A person who manages the discussion contributions in an online forum.

The tag is: misp-galaxy:dwva="Moderator"

TOR Network

A network of routers that adds encryption to conceal a web user’s location and usage so that these are resistant to surveillance and hence are truly anonymous. The domain names of these hidden sites all end in ‘.onion’ and they are only accessible by using a Tor browser. Tor stands for ‘The Onion Router’.

The tag is: misp-galaxy:dwva="TOR Network"

ZeroNet

One of the newest Darknets, becoming increasingly popular. It is a combination of trackerless Bittorrent and a Blockchain for persistent site and user identity. ZeroNet optionally uses the Tor network as a virtual private network. As a full mesh network, all clients are also servers. By browsing to a “zite” as they are known in ZeroNet lingo, the machine used automatically becomes one of the servers for this zite also.

The tag is: misp-galaxy:dwva="ZeroNet"

Dead drop

The dead drop is a delivery model used by some vendors to distribute their products. A vendor uses a ‘dropman’ to hide consignments of pre-packaged drug deals in a number of suitably discreet offline locations. When a buyer makes a purchase from the vendor the geo-coordinates are provided to them for them to collect their order.

The tag is: misp-galaxy:dwva="Dead drop"

Coinjoin

Coinjoin is a method of mixing cryptocurrency tokens or coins, where two or more user transactions are combined into a single transaction on the blockchain, with multiple inputs and outputs. The concept behind that methodology is to obfuscate the link between an input and an output that would otherwise be apparent in a standard, single-user transaction. The coinjoin methodology is open-source and integrated into some software wallets, and is also available for use via a hosted online service.

The tag is: misp-galaxy:dwva="Coinjoin"

Paste site/service

A pastebin or text storage site is a type of online content hosting service where users can store plain text, e.g. to source code snippets for code review via Internet Relay Chat (IRC).

The tag is: misp-galaxy:dwva="Paste site/service"

Deep Web

The deep web, invisible web, or hidden web are parts of the World Wide Web whose contents are not indexed by standard web search-engines.

The tag is: misp-galaxy:dwva="Deep Web"

Cryptocurrencies User

(User of) Decentralized virtual currency that employs cryptography to accomplish tamper-resistance.

The tag is: misp-galaxy:dwva="Cryptocurrencies User"

Flash loan attack

An attack to a DeFi protocol that exploits vulnerabilities in the flash loan system

The tag is: misp-galaxy:dwva="Flash loan attack"

Privacy coin

Privacy coins are a class of cryptocurrencies that power private and anonymous blockchain transactions by obscuring their origin and destination. Some of the techniques used include hiding a user’s real wallet balance and address, and mixing multiple transactions with each other to elude chain analysis.

The tag is: misp-galaxy:dwva="Privacy coin"

Peer-to-peer exchange

The exchange or sharing of information, data, or assets between parties without the involvement of a central authority. Peer-to-peer, or P2P, takes a decentralized approach to interactions between individuals and groups. This approach has been used in computers and networking (peer-to-peer file sharing), as well as with virtual assets trading.

The tag is: misp-galaxy:dwva="Peer-to-peer exchange"

Proxy

A virtual service that changes users’ IP addresses when using the Internet.

The tag is: misp-galaxy:dwva="Proxy"

Scam

Scam denotes a fraudulent or deceptive act or operation.

The tag is: misp-galaxy:dwva="Scam"

Table 2110. Table References
Links
https://www.merriam-webster.com/dictionary/scam

Sextortion

Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.

The tag is: misp-galaxy:dwva="Sextortion"

Table 2111. Table References
Links
https://en.wikipedia.org/wiki/Sextortion

Phishing

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

The tag is: misp-galaxy:dwva="Phishing"

Table 2112. Table References
Links
https://en.wikipedia.org/wiki/Phishing

Service Hack

A service hack denotes the digital intrusion into a service with the goal to steal funds.

The tag is: misp-galaxy:dwva="Service Hack"

Ransomware

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.

The tag is: misp-galaxy:dwva="Ransomware"

Table 2113. Table References
Links
https://en.wikipedia.org/wiki/Ransomware

Ponzi Scheme

A Ponzi scheme is a form of fraud that lures investors and pays profits to earlier investors with funds from more recent investors

The tag is: misp-galaxy:dwva="Ponzi Scheme"

Table 2114. Table References
Links
https://en.wikipedia.org/wiki/Ponzi_scheme

Malpedia

Malware galaxy cluster based on Malpedia..

Malpedia is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Davide Arcuri - Alexandre Dulaunoy - Steffen Enders - Andrea Garavaglia - Andras Iklody - Daniel Plohmann - Christophe Vandeplas

FastCash

The tag is: misp-galaxy:malpedia="FastCash"

FastCash is also known as:

Table 2115. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash
https://github.com/fboldewin/FastCashMalwareDissected/
https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html
https://www.cisa.gov/uscert/ncas/alerts/TA18-275A
https://www.cisa.gov/uscert/ncas/alerts/aa20-239a
https://www.youtube.com/watch?v=zGvQPtejX9w
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf
https://www.us-cert.gov/ncas/alerts/TA18-275A
https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/

888 RAT

The tag is: misp-galaxy:malpedia="888 RAT"

888 RAT is also known as:

Table 2116. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat
https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/

Aberebot

The tag is: misp-galaxy:malpedia="Aberebot"

Aberebot is also known as:

Escobar

Table 2117. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot
https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/
https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/
https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/
https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://twitter.com/icebre4ker/status/1460527428544176128

AbstractEmu

According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.

The tag is: misp-galaxy:malpedia="AbstractEmu"

AbstractEmu is also known as:

Table 2118. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign
https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/

ActionSpy

The tag is: misp-galaxy:malpedia="ActionSpy"

ActionSpy is also known as:

AxeSpy

Table 2119. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy
https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/
https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html
https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/

AdoBot

The tag is: misp-galaxy:malpedia="AdoBot"

AdoBot is also known as:

Table 2120. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://twitter.com/LukasStefanko/status/1243198756981559296

AdultSwine

The tag is: misp-galaxy:malpedia="AdultSwine"

AdultSwine is also known as:

Table 2121. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine
https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/

Agent Smith

The tag is: misp-galaxy:malpedia="Agent Smith"

Agent Smith is also known as:

Table 2122. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.agentsmith
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

AhMyth

According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.

The tag is: misp-galaxy:malpedia="AhMyth"

AhMyth is also known as:

Table 2123. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth
https://www.secrss.com/articles/24995
https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/
https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset
https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/
https://securelist.com/transparent-tribe-part-2/98233/
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w

Alien

According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.

The tag is: misp-galaxy:malpedia="Alien"

Alien is also known as:

AlienBot

Table 2124. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien
https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/
https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html
https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing
https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf
https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace
https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/
https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html
https://twitter.com/CPResearch/status/1603375823448317953
https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets
https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/
https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/
https://muha2xmad.github.io/malware-analysis/alien/

AmexTroll

The tag is: misp-galaxy:malpedia="AmexTroll"

AmexTroll is also known as:

Table 2125. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.amextroll
https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html
https://www.threatfabric.com/blogs/brata-a-tale-of-three-families

AmpleBot

This malware was initially named BlackRock and later renamed to AmpleBot.

The tag is: misp-galaxy:malpedia="AmpleBot"

AmpleBot is also known as:

BlackRock

Table 2126. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.amplebot
https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html
https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html
https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html

Anatsa

The tag is: misp-galaxy:malpedia="Anatsa"

Anatsa is also known as:

ReBot
TeaBot
Toddler

Table 2127. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa
https://twitter.com/icebre4ker/status/1416409813467156482
https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/
https://gbhackers.com/teabot-banking-trojan/
https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe
https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html
https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign
https://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach
https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered
https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html
https://labs.k7computing.com/?p=22407
https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/
https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf
https://twitter.com/ThreatFabric/status/1394958795508523008
https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368
https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html
https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/
https://www.prodaft.com/m/reports/Toddler_TLPWHITE_V2.pdf
https://www.cleafy.com/cleafy-labs/a-stealthy-threat-uncovered-teabot-on-google-play-store
https://www.cleafy.com/documents/teabot

AndroRAT

Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

The tag is: misp-galaxy:malpedia="AndroRAT"

AndroRAT is also known as:

Table 2128. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat
https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg
https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat
https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html
https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html
https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf
https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset
https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/
https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat
https://www.kaspersky.com/blog/mobile-malware-part-4/24290/
https://github.com/DesignativeDave/androrat

ANDROSNATCH

According to Google, a Chrome cookie stealer.

The tag is: misp-galaxy:malpedia="ANDROSNATCH"

ANDROSNATCH is also known as:

Table 2129. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.androsnatch
https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

Anubis (Android)

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app’s login screen to make victims think it’s a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone Implementing a SOCKS5 proxy for covert communication and package delivery Capturing screenshots Sending mass SMS messages from the device to specified recipients Retrieving contacts stored on the device Sending, reading, deleting, and blocking notifications for SMS messages received by the device Scanning the device for files of interest to exfiltrate Locking the device screen and displaying a persistent ransom note Submitting USSD code requests to query bank balances Capturing GPS data and pedometer statistics Implementing a keylogger to steal credentials Monitoring active apps to mimic and perform overlay attacks Stopping malicious functionality and removing the malware from the device

The tag is: misp-galaxy:malpedia="Anubis (Android)"

Anubis (Android) is also known as:

BankBot
android.bankbot
android.bankspy

Table 2130. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis
https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb
https://pentest.blog/n-ways-to-unpack-mobile-malware/
https://muha2xmad.github.io/malware-analysis/anubis/
https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html
https://assets.virustotal.com/reports/2021trends.pdf
https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html
http://blog.koodous.com/2017/05/bankbot-on-google-play.html
https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html
http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html
https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/
https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/
https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis
https://0x1c3n.tech/anubis-android-malware-analysis
https://community.riskiq.com/article/85b3db8c
https://www.youtube.com/watch?v=U0UsfO-0uJM
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/
https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/
https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/
https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/
https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ [https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ]
http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html
https://securelist.com/mobile-malware-evolution-2019/96280/

AnubisSpy

The tag is: misp-galaxy:malpedia="AnubisSpy"

AnubisSpy is also known as:

Table 2131. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy
https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/

Asacub

The tag is: misp-galaxy:malpedia="Asacub"

Asacub is also known as:

Table 2132. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub
https://securelist.com/mobile-malware-evolution-2019/96280/
https://securelist.com/the-rise-of-mobile-banker-asacub/87591/

Ashas

The tag is: misp-galaxy:malpedia="Ashas"

Ashas is also known as:

Table 2133. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas
https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/

ATANK

According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.

The tag is: misp-galaxy:malpedia="ATANK"

ATANK is also known as:

Table 2134. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank
https://twitter.com/LukasStefanko/status/1268070798293708800

AxBanker

According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.

The tag is: misp-galaxy:malpedia="AxBanker"

AxBanker is also known as:

Table 2135. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.axbanker
https://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks
https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#::text=We%20found%20five%20banking%20malware

badbazaar

BadBazaar is a type of malware primarily functioning as a banking Trojan. Designed to compromise Android devices, it is often distributed through malicious apps downloaded from unofficial app stores or third-party websites. Once installed, BadBazaar seeks to steal financial information and login credentials by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.

The tag is: misp-galaxy:malpedia="badbazaar"

badbazaar is also known as:

Table 2136. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar
https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15

BADCALL (Android)

remote access tool (RAT) payload on Android devices

The tag is: misp-galaxy:malpedia="BADCALL (Android)"

BADCALL (Android) is also known as:

Table 2137. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall
https://www.us-cert.gov/ncas/analysis-reports/ar19-252a

BadPatch

The tag is: misp-galaxy:malpedia="BadPatch"

BadPatch is also known as:

WelcomeChat

Table 2138. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch
https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/

Bahamut (Android)

According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.

The tag is: misp-galaxy:malpedia="Bahamut (Android)"

Bahamut (Android) is also known as:

Table 2139. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf
https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/
https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html
https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/
https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw
https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/

Basbanke

The tag is: misp-galaxy:malpedia="Basbanke"

Basbanke is also known as:

Table 2140. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke
https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/
https://twitter.com/LukasStefanko/status/1280243673100402690
https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/.YHTDZS2tEUE

BianLian (Android)

The tag is: misp-galaxy:malpedia="BianLian (Android)"

BianLian (Android) is also known as:

Hydra

Table 2141. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian
https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726
https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5
https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221
https://www.youtube.com/watch?v=DPFcvSy4OZk
https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html
https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56
https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html
https://cryptax.medium.com/bad-zip-and-new-packer-for-android-bianlian-5bdad4b90aeb
https://cryptax.medium.com/android-bianlian-payload-61febabed00a

BingoMod

The tag is: misp-galaxy:malpedia="BingoMod"

BingoMod is also known as:

Table 2142. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bingomod
https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data

BlankBot

The tag is: misp-galaxy:malpedia="BlankBot"

BlankBot is also known as:

Table 2143. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.blankbot
https://intel471.com/blog/blankbot-a-new-android-banking-trojan-with-screen-recording-keylogging-and-remote-control-capabilities

BrasDex

According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.

At the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.

The tag is: misp-galaxy:malpedia="BrasDex"

BrasDex is also known as:

Table 2144. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html

BRATA

According to Cleafy, the victim’s Android device is factory reset after the attackers siphon money from the victim’s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.

The tag is: misp-galaxy:malpedia="BRATA"

BRATA is also known as:

AmexTroll
Copybara

Table 2145. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata
https://www.threatfabric.com/blogs/toad-fraud
https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat
https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam
https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again
https://securelist.com/spying-android-rat-from-brazil-brata/92775/
https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html
https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account

Brunhilda

PRODAFT describes Brunhilda as a "Dropper as a Service" for Google Play, delivering e.g. Alien.

The tag is: misp-galaxy:malpedia="Brunhilda"

Brunhilda is also known as:

Table 2146. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda
https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan
https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html
https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud
https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf

BusyGasper

The tag is: misp-galaxy:malpedia="BusyGasper"

BusyGasper is also known as:

Table 2147. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper
https://securelist.com/busygasper-the-unfriendly-spy/87627/

CapraRAT

According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.

The tag is: misp-galaxy:malpedia="CapraRAT"

CapraRAT is also known as:

Table 2148. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat
https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/
https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html
https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/

CarbonSteal

The tag is: misp-galaxy:malpedia="CarbonSteal"

CarbonSteal is also known as:

Table 2149. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

The tag is: misp-galaxy:malpedia="Catelites"

Catelites is also known as:

Table 2150. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites
https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang
https://www.youtube.com/watch?v=1LOy0ZyjEOk

Cerberus

According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.

The tag is: misp-galaxy:malpedia="Cerberus"

Cerberus is also known as:

Table 2151. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus
https://twitter.com/AndroidCerberus
https://cyberint.com/blog/research/cerberus-is-dead-long-live-cerberus/
https://github.com/ics-iot-bootcamp/cerberus_research
https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf
https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/
https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace
https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html
https://securelist.com/the-state-of-stalkerware-in-2021/106193/
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html
https://nur.pub/cerberus-analysis
https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/
https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf
https://community.riskiq.com/article/85b3db8c
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus

Chameleon

The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.

The tag is: misp-galaxy:malpedia="Chameleon"

Chameleon is also known as:

Table 2152. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chameleon
https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/
https://www.threatfabric.com/blogs/chameleon-is-now-targeting-employees-masquerading-as-crm-app
https://www.threatfabric.com/blogs/android-banking-trojan-chameleon-is-back-in-action

Chamois

The tag is: misp-galaxy:malpedia="Chamois"

Chamois is also known as:

Table 2153. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois
https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html
https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/

Charger

The tag is: misp-galaxy:malpedia="Charger"

Charger is also known as:

Table 2154. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger
https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf
http://blog.checkpoint.com/2017/01/24/charger-malware/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017
http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html

Chinotto (Android)

The tag is: misp-galaxy:malpedia="Chinotto (Android)"

Chinotto (Android) is also known as:

Table 2155. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chinotto
https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/

Chrysaor

The tag is: misp-galaxy:malpedia="Chrysaor"

Chrysaor is also known as:

JigglyPuff
Pegasus

Table 2156. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor
https://twitter.com/alexanderjaeger/status/1417447732030189569
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/
https://objective-see.com/blog/blog_0x67.html
https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages
https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/
https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests
https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf
https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html
https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/
https://nex.sx/blog/2021/08/03/the-pegasus-project.html
https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/
https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/
https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/
https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/
https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/
https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying
https://citizenlab.ca/2021/07/amnesty-peer-review/
https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/
https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/
https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto
https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/
https://zetter.substack.com/p/pegasus-spyware-how-it-works-and
https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/
https://www.theguardian.com/news/series/pegasus-project
https://thewire.in/tag/pegasus-project
https://twitter.com/HackSysTeam/status/1418223814387765258?s=20
https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/
https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/
https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/
https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/
https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/
https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus
https://thewire.in/media/pegasus-project-spyware-indian-journalists
https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus
https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5
https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/
https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso
https://media.ccc.de/v/33c3-7901-pegasus_internals
https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/
https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/
https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/
https://therecord.media/mexican-army-spyware
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/
https://twitter.com/billmarczak/status/1416801439402262529
https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html
https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat
https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/
https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/
https://irpimedia.irpi.eu/sorveglianze-cy4gate/
https://www.iverify.io/post/clipping-wings-our-analysis-of-a-pegasus-spyware-sample
https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/
https://forbiddenstories.org/about-the-pegasus-project/
https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html
https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/
https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1
https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/

Clientor

The tag is: misp-galaxy:malpedia="Clientor"

Clientor is also known as:

Table 2157. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor
https://twitter.com/LukasStefanko/status/1042297855602503681

Clipper

The tag is: misp-galaxy:malpedia="Clipper"

Clipper is also known as:

Table 2158. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper
https://news.drweb.com/show?lng=en&i=12739
https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/
https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html
https://web.archive.org/web/20201107225915/https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html

CloudAtlas

The tag is: misp-galaxy:malpedia="CloudAtlas"

CloudAtlas is also known as:

Table 2159. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas
https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware

CometBot

The tag is: misp-galaxy:malpedia="CometBot"

CometBot is also known as:

Table 2160. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot
https://twitter.com/LukasStefanko/status/1102937833071935491

Connic

The tag is: misp-galaxy:malpedia="Connic"

Connic is also known as:

SpyBanker

Table 2161. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic
https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/

Coper

Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot. Malicious Coper apps have a modular architecture and a multi-stage infection mechanism. Coper has originally been spotted in Colombia but has since emerged in Europa as well.

The tag is: misp-galaxy:malpedia="Coper"

Coper is also known as:

ExobotCompact
Octo

Table 2162. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper
https://x.com/cleafylabs/status/1833145006585987374
https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/
https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html
https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html
https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/
https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/
https://blog.cyble.com/2022/03/24/coper-banking-trojan/
https://www.threatfabric.com/blogs/octo2-european-banks-already-under-attack-by-new-malware-variant
https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html
https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace
https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/
https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs
https://twitter.com/icebre4ker/status/1541875982684094465
https://www.domaintools.com/resources/blog/uncovering-octo2-domains/
https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf

Copybara

The tag is: misp-galaxy:malpedia="Copybara"

Copybara is also known as:

Table 2163. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.copybara
https://www.threatfabric.com/blogs/toad-fraud
https://www.threatfabric.com/blogs/brata-a-tale-of-three-families
https://www.cleafy.com/cleafy-labs/on-device-fraud-on-the-rise-exposing-a-recent-copybara-fraud-campaign
https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html
https://www.zscaler.com/blogs/security-research/technical-analysis-copybara

Coronavirus Android Worm

Poses as an app that can offer a "corona safety mask" but phone’s address book and sends sms to contacts, spreading its own download link.

The tag is: misp-galaxy:malpedia="Coronavirus Android Worm"

Coronavirus Android Worm is also known as:

Table 2164. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm
https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan
https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html

Cpuminer (Android)

The tag is: misp-galaxy:malpedia="Cpuminer (Android)"

Cpuminer (Android) is also known as:

Table 2165. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer
https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/

CraxsRAT

The tag is: misp-galaxy:malpedia="CraxsRAT"

CraxsRAT is also known as:

Table 2166. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.craxs_rat
https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives?hl=en
https://www.group-ib.com/blog/craxs-rat-malware/

CryCryptor

According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.

When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.

When files have been encrypted, a notification is displayed directing users to open the ransom note.

The tag is: misp-galaxy:malpedia="CryCryptor"

CryCryptor is also known as:

CryCrypter
CryDroid

Table 2167. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor
https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/

CyberAzov

The tag is: misp-galaxy:malpedia="CyberAzov"

CyberAzov is also known as:

Table 2168. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cyber_azov
https://twitter.com/sekoia_io/status/1554086468104196096
https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag

DAAM

According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.

Lookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

The tag is: misp-galaxy:malpedia="DAAM"

DAAM is also known as:

BouldSpy

Table 2169. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.daam
https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/
https://www.lookout.com/blog/iranian-spyware-bouldspy

Dark Shades

The tag is: misp-galaxy:malpedia="Dark Shades"

Dark Shades is also known as:

Rogue

Table 2170. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades
https://twitter.com/LukasStefanko/status/1252163657036976129

DawDropper

The tag is: misp-galaxy:malpedia="DawDropper"

DawDropper is also known as:

Table 2171. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dawdropper
https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html

DEFENSOR ID

The tag is: misp-galaxy:malpedia="DEFENSOR ID"

DEFENSOR ID is also known as:

Defensor Digital

Table 2172. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id
https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

Dendroid

The tag is: misp-galaxy:malpedia="Dendroid"

Dendroid is also known as:

Table 2173. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

dmsSpy

The tag is: misp-galaxy:malpedia="dmsSpy"

dmsSpy is also known as:

Table 2174. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy
https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/
https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/

DoubleAgent

The tag is: misp-galaxy:malpedia="DoubleAgent"

DoubleAgent is also known as:

Table 2175. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

DoubleLocker

The tag is: misp-galaxy:malpedia="DoubleLocker"

DoubleLocker is also known as:

Table 2176. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Dracarys

Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.

The tag is: misp-galaxy:malpedia="Dracarys"

Dracarys is also known as:

Table 2177. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dracarys
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/

DragonEgg

Android variant of ios.LightSpy.

The tag is: misp-galaxy:malpedia="DragonEgg"

DragonEgg is also known as:

LightSpy

Table 2178. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dragonegg
https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack
https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41

DroidJack

The tag is: misp-galaxy:malpedia="DroidJack"

DroidJack is also known as:

Table 2179. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack
https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic

DroidWatcher

The tag is: misp-galaxy:malpedia="DroidWatcher"

DroidWatcher is also known as:

Table 2180. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidwatcher
https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf

DualToy (Android)

The tag is: misp-galaxy:malpedia="DualToy (Android)"

DualToy (Android) is also known as:

Table 2181. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

Dvmap

The tag is: misp-galaxy:malpedia="Dvmap"

Dvmap is also known as:

Table 2182. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap
https://securelist.com/mobile-malware-evolution-2019/96280/
https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/

Elibomi

The tag is: misp-galaxy:malpedia="Elibomi"

Elibomi is also known as:

Drinik

Table 2183. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.elibomi
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-android-malware-targets-taxpayers-in-india/
https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#::text=We%20found%20five%20banking%20malware

ERMAC

According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user’s credentials

The tag is: misp-galaxy:malpedia="ERMAC"

ERMAC is also known as:

Table 2184. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac
https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/
https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html
https://twitter.com/ShilpeshTrivedi/status/1709096404835356883
https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace
https://twitter.com/ESETresearch/status/1445618031464357888
https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover
https://blog.cyble.com/2022/05/25/ermac-back-in-action/
https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html

ErrorFather

ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.

The tag is: misp-galaxy:malpedia="ErrorFather"

ErrorFather is also known as:

Table 2185. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.errorfather
https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/

Eventbot

According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.

The tag is: misp-galaxy:malpedia="Eventbot"

Eventbot is also known as:

Table 2186. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot
https://twitter.com/ThreatFabric/status/1240664876558823424
https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born
https://www.youtube.com/watch?v=qqwOrLR2rgU

ExoBot

The tag is: misp-galaxy:malpedia="ExoBot"

ExoBot is also known as:

Table 2187. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot
https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html
https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/
https://blog.cyble.com/2022/03/24/coper-banking-trojan/
https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/
https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/
https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

Exodus

The tag is: misp-galaxy:malpedia="Exodus"

Exodus is also known as:

Table 2188. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv
https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store
https://securitywithoutborders.org/blog/2019/03/29/exodus.html

FaceStealer

Facebook Credential Stealer.

The tag is: misp-galaxy:malpedia="FaceStealer"

FaceStealer is also known as:

Table 2189. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.facestealer
https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials—crypto-related-keys.html
https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/
https://threatpost.com/facestealer-trojan-google-play-facebook/179015/

FakeAdBlocker

The tag is: misp-galaxy:malpedia="FakeAdBlocker"

FakeAdBlocker is also known as:

Table 2190. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker
https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/

Fakecalls

According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.

The tag is: misp-galaxy:malpedia="Fakecalls"

Fakecalls is also known as:

Table 2191. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakecalls
https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/
https://research.checkpoint.com/2023/south-korean-android-banking-menace-fakecalls/

FakeDefend

The tag is: misp-galaxy:malpedia="FakeDefend"

FakeDefend is also known as:

Table 2192. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakedefend
https://www.fortiguard.com/encyclopedia/virus/5543975/android-fakedefend-c-tr

FakeSpy

The tag is: misp-galaxy:malpedia="FakeSpy"

FakeSpy is also known as:

Table 2193. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy
https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html
https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/
https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681
https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html

FakeGram

The tag is: misp-galaxy:malpedia="FakeGram"

FakeGram is also known as:

FakeTGram

Table 2194. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram
https://blog.talosintelligence.com/2018/11/persian-stalker.html

FastFire

The tag is: misp-galaxy:malpedia="FastFire"

FastFire is also known as:

Table 2195. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastfire
https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f

FastSpy

The tag is: misp-galaxy:malpedia="FastSpy"

FastSpy is also known as:

Table 2196. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastspy
https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f

FileCoder

According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.

The tag is: misp-galaxy:malpedia="FileCoder"

FileCoder is also known as:

Table 2197. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder
https://www.welivesecurity.com/2019/07/29/android-ransomware-back/

FinFisher (Android)

The tag is: misp-galaxy:malpedia="FinFisher (Android)"

FinFisher (Android) is also known as:

Table 2198. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher
https://github.com/linuzifer/FinSpy-Dokumentation
https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/
https://securelist.com/finspy-unseen-findings/104322/
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/

FlexiSpy (Android)

The tag is: misp-galaxy:malpedia="FlexiSpy (Android)"

FlexiSpy (Android) is also known as:

Table 2199. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy
https://mobisec.reyammer.io/slides
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

FlexNet

The tag is: misp-galaxy:malpedia="FlexNet"

FlexNet is also known as:

gugi

Table 2200. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet
https://twitter.com/LukasStefanko/status/886849558143279104
https://securelist.com/mobile-malware-evolution-2019/96280/

FluBot

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

The tag is: misp-galaxy:malpedia="FluBot"

FluBot is also known as:

Cabassous
FakeChat

Table 2201. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot
https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/
https://mobile.twitter.com/albertosegura/status/1400396365759500289
https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain
https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/
https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/
https://securityintelligence.com/posts/story-of-fakechat-malware/
https://therecord.media/flubot-malware-gang-arrested-in-barcelona/
https://twitter.com/malwrhunterteam/status/1359939300238983172
https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html
https://hispasec.com/resources/FedexBanker.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://twitter.com/albertosegura/status/1395675479194095618
https://twitter.com/albertosegura/status/1404098461440659459
https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/
https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/
https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html
https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9
https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html
https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users
https://www.prodaft.com/m/reports/FluBot_4.pdf
https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered
https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones
https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://twitter.com/albertosegura/status/1399249798063087621?s=20
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://www.infinitumit.com.tr/flubot-zararlisi/
https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/
https://twitter.com/albertosegura/status/1402615237296148483
https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368
https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond
https://blog.zimperium.com/flubot-vs-zimperium/
https://twitter.com/albertosegura/status/1384840011892285440
https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf
https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/
https://www.ncsc.admin.ch/22w12-de
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06
https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon
https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/
https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027

FluHorse

According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.

The tag is: misp-galaxy:malpedia="FluHorse"

FluHorse is also known as:

Table 2202. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse
https://www.fortinet.com/blog/threat-research/fortinet-reverses-flutter-based-android-malware-fluhorse
https://cryptax.medium.com/inside-kangapack-the-kangaroo-packer-with-native-decryption-3e7e054679c4
https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/

FlyTrap

Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.

The tag is: misp-galaxy:malpedia="FlyTrap"

FlyTrap is also known as:

Table 2203. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap
https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/

FunkyBot

The tag is: misp-galaxy:malpedia="FunkyBot"

FunkyBot is also known as:

Table 2204. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot
https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681
https://securelist.com/roaming-mantis-part-v/96250/
https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html

FurBall

According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.

The tag is: misp-galaxy:malpedia="FurBall"

FurBall is also known as:

Table 2205. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball
https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html
https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/
https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf
https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program
https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/
https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/

Geost

The tag is: misp-galaxy:malpedia="Geost"

Geost is also known as:

Table 2206. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost
https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/
https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/

Ghimob

The tag is: misp-galaxy:malpedia="Ghimob"

Ghimob is also known as:

Table 2207. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob
https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/

GhostCtrl

The tag is: misp-galaxy:malpedia="GhostCtrl"

GhostCtrl is also known as:

Table 2208. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl
https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/

Gigabud

Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim’s screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.

The tag is: misp-galaxy:malpedia="Gigabud"

Gigabud is also known as:

Table 2209. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gigabud
https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/
https://www.group-ib.com/blog/gigabud-banking-malware/

Ginp

Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:

Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.

The tag is: misp-galaxy:malpedia="Ginp"

Ginp is also known as:

Table 2210. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp
https://twitter.com/ESETresearch/status/1269945115738542080
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://www.youtube.com/watch?v=WeL_xSryj8E
https://muha2xmad.github.io/malware-analysis/ginp/
https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/
https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html
https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/

GlanceLove

The tag is: misp-galaxy:malpedia="GlanceLove"

GlanceLove is also known as:

Table 2211. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove
https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773
https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/
https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/
https://www.clearskysec.com/glancelove/

GnatSpy

The tag is: misp-galaxy:malpedia="GnatSpy"

GnatSpy is also known as:

Table 2212. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gnatspy
https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html

GoatRAT

The tag is: misp-galaxy:malpedia="GoatRAT"

GoatRAT is also known as:

Table 2213. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goat_rat
https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/

Godfather

According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.

The tag is: misp-galaxy:malpedia="Godfather"

Godfather is also known as:

Table 2214. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather
https://github.com/LaurieWired/StrangeLoop
https://blog.group-ib.com/godfather-trojan
https://brandefense.io/blog/godfather-android-banking-trojan/
https://muha2xmad.github.io/malware-analysis/godfather/

GoldenEagle

The tag is: misp-galaxy:malpedia="GoldenEagle"

GoldenEagle is also known as:

Table 2215. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

GoldenRAT

The tag is: misp-galaxy:malpedia="GoldenRAT"

GoldenRAT is also known as:

Table 2216. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat
https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/

GoldDigger

The tag is: misp-galaxy:malpedia="GoldDigger"

GoldDigger is also known as:

Table 2217. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gold_digger
https://www.group-ib.com/blog/golddigger-fraud-matrix/

goontact

The tag is: misp-galaxy:malpedia="goontact"

goontact is also known as:

Table 2218. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact
https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

The tag is: misp-galaxy:malpedia="GPlayed"

GPlayed is also known as:

Table 2219. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed
https://blog.talosintelligence.com/2018/10/gplayerbanker.html
https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

Gravity RAT (Android)

The tag is: misp-galaxy:malpedia="Gravity RAT (Android)"

Gravity RAT (Android) is also known as:

Table 2220. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gravity_rat
https://blog.talosintelligence.com/cosmic-leopard/

GriftHorse

The tag is: misp-galaxy:malpedia="GriftHorse"

GriftHorse is also known as:

Table 2221. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.grifthorse
https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Guerrilla

The tag is: misp-galaxy:malpedia="Guerrilla"

Guerrilla is also known as:

Table 2222. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.guerrilla
https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html

Gustuff

Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.

The tag is: misp-galaxy:malpedia="Gustuff"

Gustuff is also known as:

Table 2223. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff
https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html
https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html
https://www.group-ib.com/media/gustuff/
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://blog.talosintelligence.com/2019/10/gustuffv2.html

HARDRAIN (Android)

The tag is: misp-galaxy:malpedia="HARDRAIN (Android)"

HARDRAIN (Android) is also known as:

Table 2224. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990
https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/

HawkShaw

The tag is: misp-galaxy:malpedia="HawkShaw"

HawkShaw is also known as:

Table 2225. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw
https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/
https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw

HenBox

The tag is: misp-galaxy:malpedia="HenBox"

HenBox is also known as:

Table 2226. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox
https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/
https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/

Hermit

Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.

The tag is: misp-galaxy:malpedia="Hermit"

Hermit is also known as:

Table 2227. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit
https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/
https://www.lighthousereports.nl/investigation/revealing-europes-nso
https://de.lookout.com/blog/hermit-spyware-discovery

HeroRAT

The tag is: misp-galaxy:malpedia="HeroRAT"

HeroRAT is also known as:

Table 2228. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

HiddenAd

HiddenAd is a malware that shows ads as overlays on the phone.

The tag is: misp-galaxy:malpedia="HiddenAd"

HiddenAd is also known as:

Table 2229. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad
https://twitter.com/LukasStefanko/status/1136568939239137280
https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users
https://securelist.com/mobile-malware-evolution-2019/96280/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/

HilalRAT

RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.

The tag is: misp-galaxy:malpedia="HilalRAT"

HilalRAT is also known as:

Table 2230. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hilalrat
https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html

Hook

According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.

The tag is: misp-galaxy:malpedia="Hook"

Hook is also known as:

Table 2231. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hook
https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/
https://www.sciencedirect.com/science/article/pii/S266628172400088X
https://github.com/0xperator/hookbot_source
https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65

Hydra

Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.

The tag is: misp-galaxy:malpedia="Hydra"

Hydra is also known as:

Table 2232. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra
https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/
https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/
https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5
https://muha2xmad.github.io/malware-analysis/hydra/
https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221
https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace
https://twitter.com/muha2xmad/status/1570788983474638849
https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0
https://medium.com/@joshuapenny88/hostinghunter-series-chang-way-technologies-co-limited-a9ba4fce0f65
https://cryptax.medium.com/android-bianlian-payload-61febabed00a

IPStorm (Android)

Android variant of IPStorm (InterPlanetary Storm).

The tag is: misp-galaxy:malpedia="IPStorm (Android)"

IPStorm (Android) is also known as:

InterPlanetary Storm

Table 2233. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ipstorm
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf
https://www.justice.gov/usao-pr/pr/russian-and-moldovan-national-pleads-guilty-operating-illegal-botnet-proxy-service
https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/

IRATA

According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.

The tag is: misp-galaxy:malpedia="IRATA"

IRATA is also known as:

Table 2234. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.irata
https://muha2xmad.github.io/malware-analysis/irata/
https://onecert.ir/portal/blog/irata
https://twitter.com/muha2xmad/status/1562831996078157826

IRRat

The tag is: misp-galaxy:malpedia="IRRat"

IRRat is also known as:

Table 2235. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat
https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/

JadeRAT

The tag is: misp-galaxy:malpedia="JadeRAT"

JadeRAT is also known as:

Table 2236. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat
https://blog.lookout.com/mobile-threat-jaderat

Joker

Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.

The tag is: misp-galaxy:malpedia="Joker"

Joker is also known as:

Bread

Table 2237. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker
https://www.threatfabric.com/blogs/toad-fraud
https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1
https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/
https://labs.k7computing.com/?p=22199
https://muha2xmad.github.io/malware-analysis/hydra/
https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/
https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451
https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html
https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks—using-github-to-hide-its-payload.html
https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2
https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus
https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/

KevDroid

The tag is: misp-galaxy:malpedia="KevDroid"

KevDroid is also known as:

Table 2238. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/

KnSpy

The tag is: misp-galaxy:malpedia="KnSpy"

KnSpy is also known as:

Table 2239. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.knspy
https://community.riskiq.com/article/6f60db72
https://s.tencent.com/research/report/951.html
https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html
https://twitter.com/voodoodahl1/status/1267571622732578816
https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/
https://blog.talosintelligence.com/2020/10/donot-firestarter.html

Koler

The tag is: misp-galaxy:malpedia="Koler"

Koler is also known as:

Table 2240. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler
https://twitter.com/LukasStefanko/status/928262059875213312

Konni (Android)

The tag is: misp-galaxy:malpedia="Konni (Android)"

Konni (Android) is also known as:

Table 2241. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.konni
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11

KSREMOTE

The tag is: misp-galaxy:malpedia="KSREMOTE"

KSREMOTE is also known as:

Table 2242. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote
https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/

LittleLooter

The tag is: misp-galaxy:malpedia="LittleLooter"

LittleLooter is also known as:

Table 2243. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf
https://www.youtube.com/watch?v=nilzxS9rxEM
https://twitter.com/malwrhunterteam/status/1337684036374945792
https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/

Loki

The tag is: misp-galaxy:malpedia="Loki"

Loki is also known as:

Table 2244. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki
http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/

LokiBot

Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.

The tag is: misp-galaxy:malpedia="LokiBot"

LokiBot is also known as:

Table 2245. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot
https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html
https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/
https://muha2xmad.github.io/mal-document/lokibotpdf/
https://isc.sans.edu/diary/27282
https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/
https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf
https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view

LuckyCat

The tag is: misp-galaxy:malpedia="LuckyCat"

LuckyCat is also known as:

Table 2246. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

Mandrake

The tag is: misp-galaxy:malpedia="Mandrake"

Mandrake is also known as:

Table 2247. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake
https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf

Marcher

The tag is: misp-galaxy:malpedia="Marcher"

Marcher is also known as:

ExoBot

Table 2248. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher
https://securelist.com/mobile-malware-evolution-2019/96280/
https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware
https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html

MasterFred

According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.

The tag is: misp-galaxy:malpedia="MasterFred"

MasterFred is also known as:

Brox

Table 2249. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred
https://twitter.com/AvastThreatLabs/status/1458162276708483073

MazarBot

The tag is: misp-galaxy:malpedia="MazarBot"

MazarBot is also known as:

Table 2250. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot
https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/
https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html

Medusa (Android)

According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.

The tag is: misp-galaxy:malpedia="Medusa (Android)"

Medusa (Android) is also known as:

Gorgona

Table 2251. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa
https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html
https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered
https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html
https://twitter.com/ThreatFabric/status/1285144962695340032

Meterpreter (Android)

The tag is: misp-galaxy:malpedia="Meterpreter (Android)"

Meterpreter (Android) is also known as:

Table 2252. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter
https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html
https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe
https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w

MobileOrder

Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.

The tag is: misp-galaxy:malpedia="MobileOrder"

MobileOrder is also known as:

Table 2253. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mobile_order
https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/

Monokle

Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.

The tag is: misp-galaxy:malpedia="Monokle"

Monokle is also known as:

Table 2254. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

MoqHao

The tag is: misp-galaxy:malpedia="MoqHao"

MoqHao is also known as:

Shaoye
XLoader

Table 2255. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao
https://www.xanhacks.xyz/p/moqhao-malware-analysis
https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/
https://securelist.com/roaming-mantis-part-v/96250/
https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html
https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf
https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/
https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/
https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1
https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681
https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf
https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/
https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484
https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html
https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends
https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/

MOrder RAT

The tag is: misp-galaxy:malpedia="MOrder RAT"

MOrder RAT is also known as:

Table 2256. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.morder_rat
https://www.ctfiot.com/138538.html

Mudwater

The tag is: misp-galaxy:malpedia="Mudwater"

Mudwater is also known as:

Table 2257. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

The tag is: misp-galaxy:malpedia="MysteryBot"

MysteryBot is also known as:

Table 2258. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot
https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html

Nexus

The tag is: misp-galaxy:malpedia="Nexus"

Nexus is also known as:

Table 2259. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.nexus
https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet
https://liansecurity.com//main/news/RWt_ZocBrFZDfCElFqw_/detail

OmniRAT

The tag is: misp-galaxy:malpedia="OmniRAT"

OmniRAT is also known as:

Table 2260. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat
https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/
https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT
https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co

Oscorp

The tag is: misp-galaxy:malpedia="Oscorp"

Oscorp is also known as:

UBEL

Table 2261. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp
https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution
https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/

PackChat

The tag is: misp-galaxy:malpedia="PackChat"

PackChat is also known as:

Table 2262. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat
https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/

PhantomLance

The tag is: misp-galaxy:malpedia="PhantomLance"

PhantomLance is also known as:

PWNDROID1

Table 2263. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance
https://securelist.com/it-threat-evolution-q2-2020/98230
https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf
https://securelist.com/apt-phantomlance/96772/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view

Phoenix

The tag is: misp-galaxy:malpedia="Phoenix"

Phoenix is also known as:

Table 2264. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phoenix
https://cryptax.medium.com/reverse-engineering-of-android-phoenix-b59693c03bd3

PhoneSpy

According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.

The tag is: misp-galaxy:malpedia="PhoneSpy"

PhoneSpy is also known as:

Table 2265. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phonespy
https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/

PINEFLOWER

According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.

The tag is: misp-galaxy:malpedia="PINEFLOWER"

PINEFLOWER is also known as:

Table 2266. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower
https://www.mandiant.com/media/17826
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

PixPirate

According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.

In addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.

The tag is: misp-galaxy:malpedia="PixPirate"

PixPirate is also known as:

Table 2267. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixpirate
https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan

PixStealer

The tag is: misp-galaxy:malpedia="PixStealer"

PixStealer is also known as:

BrazKing

Table 2268. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixstealer
https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/
https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/

PjobRAT

The tag is: misp-galaxy:malpedia="PjobRAT"

PjobRAT is also known as:

Table 2269. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat
https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/
https://labs.k7computing.com/?p=22537
https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ

Podec

The tag is: misp-galaxy:malpedia="Podec"

Podec is also known as:

Table 2270. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec
https://securelist.com/jack-of-all-trades/83470/

X-Agent (Android)

The tag is: misp-galaxy:malpedia="X-Agent (Android)"

X-Agent (Android) is also known as:

Popr-d30

Table 2271. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30
http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/
http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/

Fake Pornhub

The tag is: misp-galaxy:malpedia="Fake Pornhub"

Fake Pornhub is also known as:

Table 2272. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub

Premier RAT

The tag is: misp-galaxy:malpedia="Premier RAT"

Premier RAT is also known as:

Table 2273. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat
https://twitter.com/LukasStefanko/status/1084774825619537925

Rafel RAT

The tag is: misp-galaxy:malpedia="Rafel RAT"

Rafel RAT is also known as:

Table 2274. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rafelrat
https://github.com/swagkarna/Rafel-Rat
https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/

RambleOn

The tag is: misp-galaxy:malpedia="RambleOn"

RambleOn is also known as:

Table 2275. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rambleon
https://interlab.or.kr/archives/2567
https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab

Rana

The tag is: misp-galaxy:malpedia="Rana"

Rana is also known as:

Table 2276. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana
https://blog.reversinglabs.com/blog/rana-android-malware

RatMilad

RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East. The malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.

The tag is: misp-galaxy:malpedia="RatMilad"

RatMilad is also known as:

Table 2277. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ratmilad
https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices

Raxir

The tag is: misp-galaxy:malpedia="Raxir"

Raxir is also known as:

Table 2278. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir
https://twitter.com/PhysicalDrive0/statuses/798825019316916224

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

The tag is: misp-galaxy:malpedia="RedAlert2"

RedAlert2 is also known as:

Table 2279. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2
https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores

RemRAT

The tag is: misp-galaxy:malpedia="RemRAT"

RemRAT is also known as:

Table 2280. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.remrat
https://blogs.360.cn/post/analysis-of-RemRAT.html

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.

The tag is: misp-galaxy:malpedia="Retefe (Android)"

Retefe (Android) is also known as:

Table 2281. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe
http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html
http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
https://www.govcert.admin.ch/blog/33/the-retefe-saga

Revive

According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.

The tag is: misp-galaxy:malpedia="Revive"

Revive is also known as:

Table 2282. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.revive
https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan

Riltok

The tag is: misp-galaxy:malpedia="Riltok"

Riltok is also known as:

Table 2283. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.riltok
https://securelist.com/mobile-banker-riltok/91374/
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

Roaming Mantis

The tag is: misp-galaxy:malpedia="Roaming Mantis"

Roaming Mantis is also known as:

Table 2284. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis
https://systemweakness.com/investigating-a-fake-mobile-payment-smishing-that-abuses-duck-dns-d07c72468ba8
https://securelist.com/roaming-mantis-part-v/96250/
https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf
https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/
https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/
https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/
https://systemweakness.com/a-strange-font-smishing-that-changes-behaviour-based-on-user-agent-and-abuses-duck-dns-1c1a45863ff7
https://securelist.com/roaming-mantis-reaches-europe/105596/

Rogue

The tag is: misp-galaxy:malpedia="Rogue"

Rogue is also known as:

Table 2285. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rogue
https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/

Rootnik

The tag is: misp-galaxy:malpedia="Rootnik"

Rootnik is also known as:

Table 2286. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik
https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java
https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer

Sauron Locker

The tag is: misp-galaxy:malpedia="Sauron Locker"

Sauron Locker is also known as:

Table 2287. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker
https://twitter.com/LukasStefanko/status/1117795290155819008

SharkBot

SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.

The tag is: misp-galaxy:malpedia="SharkBot"

SharkBot is also known as:

Table 2288. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot
https://muha2xmad.github.io/malware-analysis/sharkbot/
https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/
https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf
https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/
https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/
https://bin.re/blog/the-dgas-of-sharkbot/
https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe
https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/

SideWinder (Android)

SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.

The tag is: misp-galaxy:malpedia="SideWinder (Android)"

SideWinder (Android) is also known as:

Table 2289. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sidewinder
https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/
https://www.group-ib.com/blog/hunting-sidewinder/

SilkBean

The tag is: misp-galaxy:malpedia="SilkBean"

SilkBean is also known as:

Table 2290. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Skygofree

The tag is: misp-galaxy:malpedia="Skygofree"

Skygofree is also known as:

Table 2291. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

Slempo

The tag is: misp-galaxy:malpedia="Slempo"

Slempo is also known as:

SlemBunk

Table 2292. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo
https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html
https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html

Slocker

The tag is: misp-galaxy:malpedia="Slocker"

Slocker is also known as:

Table 2293. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker
https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/
https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/

SmsAgent

The tag is: misp-galaxy:malpedia="SmsAgent"

SmsAgent is also known as:

Table 2294. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent
https://blog.alyac.co.kr/2128
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/

SMSspy

The tag is: misp-galaxy:malpedia="SMSspy"

SMSspy is also known as:

Table 2295. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy

SoumniBot

The tag is: misp-galaxy:malpedia="SoumniBot"

SoumniBot is also known as:

Table 2296. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.soumnibot
https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/

S.O.V.A.

The tag is: misp-galaxy:malpedia="S.O.V.A."

S.O.V.A. is also known as:

Table 2297. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova
https://muha2xmad.github.io/malware-analysis/sova/
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/
https://liansecurity.com//main/news/RWt_ZocBrFZDfCElFqw_/detail
https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections
https://cryptax.medium.com/eyes-on-android-s-o-v-a-botnet-sample-fb5ed332d08
https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly
https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html

SpyBanker

The tag is: misp-galaxy:malpedia="SpyBanker"

SpyBanker is also known as:

Table 2298. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker
http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/
https://news.drweb.com/show/?i=11104&lng=en

SpyC23

The tag is: misp-galaxy:malpedia="SpyC23"

SpyC23 is also known as:

Table 2299. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23
https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/

SpyMax

SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.

The tag is: misp-galaxy:malpedia="SpyMax"

SpyMax is also known as:

Table 2300. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions
https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league
https://twitter.com/malwrhunterteam/status/1250412485808717826
https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset
https://www.group-ib.com/blog/craxs-rat-malware/
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html

SpyNote

The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code

The tag is: misp-galaxy:malpedia="SpyNote"

SpyNote is also known as:

CypherRat

Table 2301. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote
https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr
https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn
https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places
https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA
https://hunt.io/blog/inside-a-cybercriminal-s-server-ddos-tools-spyware-apks-and-phishing-pages
https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/
https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
https://labs.k7computing.com/index.php/spynote-an-android-snooper/
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html
https://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w
https://www.group-ib.com/blog/craxs-rat-malware/
https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
https://labs.k7computing.com/index.php/spynote-targets-irctc-users/
https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions
https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/

StealthAgent

The tag is: misp-galaxy:malpedia="StealthAgent"

StealthAgent is also known as:

Table 2302. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF

Stealth Mango

The tag is: misp-galaxy:malpedia="Stealth Mango"

Stealth Mango is also known as:

Table 2303. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango
https://www.lookout.com/blog/stealth-mango
https://www.lookout.com/info/stealth-mango-report-ty

Svpeng

The tag is: misp-galaxy:malpedia="Svpeng"

Svpeng is also known as:

Table 2304. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
https://securelist.com/mobile-malware-evolution-2019/96280/

Switcher

The tag is: misp-galaxy:malpedia="Switcher"

Switcher is also known as:

Table 2305. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/

TalentRAT

The tag is: misp-galaxy:malpedia="TalentRAT"

TalentRAT is also known as:

Assassin RAT

Table 2306. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat
https://www.secureworks.com/research/threat-profiles/platinum-terminal
https://twitter.com/LukasStefanko/status/1118066622512738304

TangleBot

The tag is: misp-galaxy:malpedia="TangleBot"

TangleBot is also known as:

Table 2307. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tangle_bot
https://www.proofpoint.com/us/blog/threat-insight/mobile-malware-tanglebot-untangled
https://www.cleafy.com/cleafy-labs/medusa-reborn-a-new-compact-variant-discovered

TeleRAT

The tag is: misp-galaxy:malpedia="TeleRAT"

TeleRAT is also known as:

Table 2308. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat
https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/

TemptingCedar Spyware

The tag is: misp-galaxy:malpedia="TemptingCedar Spyware"

TemptingCedar Spyware is also known as:

Table 2309. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar
https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware

ThiefBot

The tag is: misp-galaxy:malpedia="ThiefBot"

ThiefBot is also known as:

Table 2310. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot
https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/

TianySpy

According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.

The tag is: misp-galaxy:malpedia="TianySpy"

TianySpy is also known as:

Table 2311. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy
https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html

TinyZ

The tag is: misp-galaxy:malpedia="TinyZ"

TinyZ is also known as:

Catelites Android Bot
MarsElite Android Bot

Table 2312. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz
http://blog.group-ib.com/cron

Titan

The tag is: misp-galaxy:malpedia="Titan"

Titan is also known as:

Table 2313. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan
https://www.alienvault.com/blogs/labs-research/delivery-keyboy
https://blog.lookout.com/titan-mobile-threat

ToxicPanda

The tag is: misp-galaxy:malpedia="ToxicPanda"

ToxicPanda is also known as:

Table 2314. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.toxic_panda
https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam

Triada

The tag is: misp-galaxy:malpedia="Triada"

Triada is also known as:

Table 2315. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada
https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/
http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html
https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/
https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/
https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/
https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
https://securelist.com/apkpure-android-app-store-infected/101845/
https://securelist.com/mobile-malware-evolution-2019/96280/
https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/
https://security.googleblog.com/2019/06/pha-family-highlights-triada.html

TrickMo

TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.

The tag is: misp-galaxy:malpedia="TrickMo"

TrickMo is also known as:

Table 2316. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.trickmo
https://www.cleafy.com/cleafy-labs/a-new-trickmo-saga-from-banking-trojan-to-victims-data-leak
https://www.zimperium.com/blog/expanding-the-investigation-deep-dive-into-latest-trickmo-samples/
https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/
https://cyble.com/blog/trickmos-return-banking-trojan-resurgence-with-new-features/

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

The tag is: misp-galaxy:malpedia="Triout"

Triout is also known as:

Table 2317. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout

UltimaSMS

The tag is: misp-galaxy:malpedia="UltimaSMS"

UltimaSMS is also known as:

Table 2318. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ultima_sms
https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast

Unidentified APK 001

The tag is: misp-galaxy:malpedia="Unidentified APK 001"

Unidentified APK 001 is also known as:

Table 2319. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001
https://www.welivesecurity.com/2017/02/14/new-android-trojan-mimics-user-clicks-download-dangerous-malware/

Unidentified APK 002

The tag is: misp-galaxy:malpedia="Unidentified APK 002"

Unidentified APK 002 is also known as:

Table 2320. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002

Unidentified APK 004

According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.

The tag is: misp-galaxy:malpedia="Unidentified APK 004"

Unidentified APK 004 is also known as:

Table 2321. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004
https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/

Unidentified APK 005

The tag is: misp-galaxy:malpedia="Unidentified APK 005"

Unidentified APK 005 is also known as:

Table 2322. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005

Unidentified APK 006

Information stealer posing as a fake banking app, targeting Korean users.

The tag is: misp-galaxy:malpedia="Unidentified APK 006"

Unidentified APK 006 is also known as:

Table 2323. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
https://twitter.com/ReBensk/status/1438027183490940931
https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749
https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20

Unidentified 007 (ARMAAN RAT)

According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.

The tag is: misp-galaxy:malpedia="Unidentified 007 (ARMAAN RAT)"

Unidentified 007 (ARMAAN RAT) is also known as:

Table 2324. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_007
https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/

Unidentified APK 008

Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.

The tag is: misp-galaxy:malpedia="Unidentified APK 008"

Unidentified APK 008 is also known as:

Table 2325. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_008
https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/

Unidentified APK 009 (Chrome Recon)

According to Google, a Chrome reconnaissance payload

The tag is: misp-galaxy:malpedia="Unidentified APK 009 (Chrome Recon)"

Unidentified APK 009 (Chrome Recon) is also known as:

Table 2326. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_009
https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

VajraSpy

The tag is: misp-galaxy:malpedia="VajraSpy"

VajraSpy is also known as:

Table 2327. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.vajraspy
https://twitter.com/malwrhunterteam/status/1481312752782258176
https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww
https://twitter.com/LukasStefanko/status/1509451238366236674

vamp

Related to the micropsia windows malware and also sometimes named micropsia.

The tag is: misp-galaxy:malpedia="vamp"

vamp is also known as:

android.micropsia

Table 2328. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp
https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/

VINETHORN

According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.

The tag is: misp-galaxy:malpedia="VINETHORN"

VINETHORN is also known as:

Table 2329. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn
https://www.mandiant.com/media/17826
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

Viper RAT

The tag is: misp-galaxy:malpedia="Viper RAT"

Viper RAT is also known as:

Table 2330. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat
https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/
https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf
https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/

Vultur

The tag is: misp-galaxy:malpedia="Vultur"

Vultur is also known as:

Vulture

Table 2331. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.vultur
https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud
https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html
https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan
https://twitter.com/icebre4ker/status/1485651238175846400
https://www.threatfabric.com/blogs/vultur-v-for-vnc.html
https://embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns/

WireX

The tag is: misp-galaxy:malpedia="WireX"

WireX is also known as:

Table 2332. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex
https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/
https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/
https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack

WolfRAT

The tag is: misp-galaxy:malpedia="WolfRAT"

WolfRAT is also known as:

Table 2333. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html

Wroba

According to Avira, this is a banking trojan targeting Japan.

The tag is: misp-galaxy:malpedia="Wroba"

Wroba is also known as:

Table 2334. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba
https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan
https://securelist.com/roaming-mantis-reaches-europe/105596/

WyrmSpy

The tag is: misp-galaxy:malpedia="WyrmSpy"

WyrmSpy is also known as:

AndroidControl

Table 2335. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wyrmspy
https://cryptax.medium.com/organizing-malware-analysis-with-colander-example-on-android-wyrmspy-1f3ec30ae33b
https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack
https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41

Xbot

The tag is: misp-galaxy:malpedia="Xbot"

Xbot is also known as:

Table 2336. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot
https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/
https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/

Xenomorph

Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.

The tag is: misp-galaxy:malpedia="Xenomorph"

Xenomorph is also known as:

Table 2337. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph
https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html
https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html
https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html
https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5
https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0
https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html

xHelper

The tag is: misp-galaxy:malpedia="xHelper"

xHelper is also known as:

Table 2338. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xhelper
https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/

XploitSPY

The tag is: misp-galaxy:malpedia="XploitSPY"

XploitSPY is also known as:

Table 2339. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy
https://twitter.com/malwrhunterteam/status/1249768400806653952
https://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/

XRat

The tag is: misp-galaxy:malpedia="XRat"

XRat is also known as:

Table 2340. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf
https://asec.ahnlab.com/en/59590/
https://blog.lookout.com/xrat-mobile-threat

YellYouth

The tag is: misp-galaxy:malpedia="YellYouth"

YellYouth is also known as:

Table 2341. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth
https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html

Zanubis

According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.

The tag is: misp-galaxy:malpedia="Zanubis"

Zanubis is also known as:

Table 2342. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zanubis
https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/

Zen

The tag is: misp-galaxy:malpedia="Zen"

Zen is also known as:

Table 2343. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen
https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html

ZooPark

The tag is: misp-galaxy:malpedia="ZooPark"

ZooPark is also known as:

Table 2344. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf
https://securelist.com/whos-who-in-the-zoo/85394/
https://securelist.com/whos-who-in-the-zoo/85394
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.secureworks.com/research/threat-profiles/cobalt-juno

Ztorg

The tag is: misp-galaxy:malpedia="Ztorg"

Ztorg is also known as:

Qysly

Table 2345. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg
http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2
https://securelist.com/ztorg-from-rooting-to-sms/78775/
https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1

Nightrunner

WebShell.

The tag is: misp-galaxy:malpedia="Nightrunner"

Nightrunner is also known as:

Table 2346. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/asp.nightrunner
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

Tunna

WebShell.

The tag is: misp-galaxy:malpedia="Tunna"

Tunna is also known as:

Table 2347. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/asp.tunna
https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

TwoFace

According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

The tag is: misp-galaxy:malpedia="TwoFace"

TwoFace is also known as:

HighShell
HyperShell
Minion
SEASHARPEE

Table 2348. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface
https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf
https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view
https://unit42.paloaltonetworks.com/atoms/evasive-serpens/
https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf
https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf
https://www.youtube.com/watch?v=GjquFKa4afU

Unidentified ASP 001 (Webshell)

The tag is: misp-galaxy:malpedia="Unidentified ASP 001 (Webshell)"

Unidentified ASP 001 (Webshell) is also known as:

Table 2349. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001

Abcbot

Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.

The tag is: misp-galaxy:malpedia="Abcbot"

Abcbot is also known as:

Table 2350. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot
https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/
https://www.cadosecurity.com/the-continued-evolution-of-abcbot/
https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/
https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/

Abyss Locker

Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.

The tag is: misp-galaxy:malpedia="Abyss Locker"

Abyss Locker is also known as:

elf.hellokitty

Table 2351. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.abyss
https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/

ACBackdoor (ELF)

A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

The tag is: misp-galaxy:malpedia="ACBackdoor (ELF)"

ACBackdoor (ELF) is also known as:

Table 2352. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

AcidPour

The tag is: misp-galaxy:malpedia="AcidPour"

AcidPour is also known as:

Table 2353. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidpour
https://www.trellix.com/blogs/research/pouring-acid-rain/
https://twitter.com/juanandres_gs/status/1769726024600768959

AcidRain

A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.

The tag is: misp-galaxy:malpedia="AcidRain"

AcidRain is also known as:

Table 2354. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidrain
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/
https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html
https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works
https://www.trellix.com/blogs/research/pouring-acid-rain/
https://www.youtube.com/watch?v=mrTdSdMMgnk
https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat
https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html
https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html
https://cybersecuritynews.com/acidrain-wiper-malware/
https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm

AgeLocker

The tag is: misp-galaxy:malpedia="AgeLocker"

AgeLocker is also known as:

Table 2355. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker
https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/
https://twitter.com/IntezerLabs/status/1326880812344676352
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

AirDropBot

AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.

The tag is: misp-galaxy:malpedia="AirDropBot"

AirDropBot is also known as:

CloudBot

Table 2356. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop
https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html

Aisuru

Honeypot-aware variant of Mirai.

The tag is: misp-galaxy:malpedia="Aisuru"

Aisuru is also known as:

Table 2357. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru
https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/

Akira (ELF)

Ransomware

The tag is: misp-galaxy:malpedia="Akira (ELF)"

Akira (ELF) is also known as:

Table 2358. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.akira
https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/
https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/
https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html
https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat
https://labs.k7computing.com/index.php/akiras-play-with-linux/
https://medium.com/@DCSO_CyTec/unransomware-from-zero-to-full-recovery-in-a-blink-8a47dd031df3

AnchorDNS

Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.

The tag is: misp-galaxy:malpedia="AnchorDNS"

AnchorDNS is also known as:

Table 2359. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns
https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/
https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate
https://www.netscout.com/blog/asert/dropping-anchor
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

ANGRYREBEL

The tag is: misp-galaxy:malpedia="ANGRYREBEL"

ANGRYREBEL is also known as:

Ghost RAT

Table 2360. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel
https://www.secureworks.com/research/threat-profiles/bronze-olive
https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

AVrecon

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

The tag is: misp-galaxy:malpedia="AVrecon"

AVrecon is also known as:

Table 2361. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.avrecon
https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/
https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/
https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/
https://twitter.com/BlackLotusLabs/status/1684290046235484160

azazel

Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features

The tag is: misp-galaxy:malpedia="azazel"

azazel is also known as:

Table 2362. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel
https://github.com/chokepoint/azazel

B1txor20

B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name "b1t", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.

The tag is: misp-galaxy:malpedia="B1txor20"

B1txor20 is also known as:

Table 2363. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.b1txor20
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/

Babuk (ELF)

ESX and NAS modules for Babuk ransomware.

The tag is: misp-galaxy:malpedia="Babuk (ELF)"

Babuk (ELF) is also known as:

Table 2364. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings
https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

Backdoorit

According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.

The tag is: misp-galaxy:malpedia="Backdoorit"

Backdoorit is also known as:

backd00rit

Table 2365. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoorit
https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/

Irc16

The tag is: misp-galaxy:malpedia="Irc16"

Irc16 is also known as:

Table 2366. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16
https://news.drweb.com/show/?c=5&i=10193&lng=en

BADCALL (ELF)

BADCALL is a Trojan malware variant used by the group Lazarus Group.

The tag is: misp-galaxy:malpedia="BADCALL (ELF)"

BADCALL (ELF) is also known as:

Table 2367. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack

Bashlite

Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

The tag is: misp-galaxy:malpedia="Bashlite"

Bashlite is also known as:

Gafgyt
gayfgt
lizkebab
qbot
torlus

Table 2368. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora
https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218
https://securityscorecard.com/wp-content/uploads/2024/01/Report-A-Detailed-Analysis-Of-The-Gafgyt-Malware-Targeting-IoT-Devices.pdf
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt
https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/
https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group
https://vb2020.vblocalhost.com/uploads/VB2020-Liu.pdf
https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf
https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/
https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/
https://blog.cyber5w.com/gafgyt-backdoor-analysis
https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/
https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/
https://www.aquasec.com/blog/gafgyt-malware-variant-exploits-gpu-power-and-cloud-native-environments/
https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/
https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

BCMPUPnP_Hunter

The tag is: misp-galaxy:malpedia="BCMPUPnP_Hunter"

BCMPUPnP_Hunter is also known as:

Table 2369. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter
https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/

BianLian (ELF)

The tag is: misp-galaxy:malpedia="BianLian (ELF)"

BianLian (ELF) is also known as:

Table 2370. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bianlian
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/
https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/
https://www.youtube.com/live/O2Wx7mQHR2I?si=uydJupvHK6sxxw3n
https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/

BiBi-Linux

According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.

The tag is: misp-galaxy:malpedia="BiBi-Linux"

BiBi-Linux is also known as:

Table 2371. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bibi_linux
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group

Bifrost

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

The tag is: misp-galaxy:malpedia="Bifrost"

Bifrost is also known as:

elf.bifrose

Table 2372. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost
https://twitter.com/strinsert1Na/status/1595553530579890176
https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/
https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/
https://jp.security.ntt/resources/EN-BlackTech_2021.pdf

BigViktor

A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.

The tag is: misp-galaxy:malpedia="BigViktor"

BigViktor is also known as:

Table 2373. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor
https://blog.netlab.360.com/bigviktor-dga-botnet/

BioSet

The tag is: misp-galaxy:malpedia="BioSet"

BioSet is also known as:

Table 2374. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bioset
https://twitter.com/IntezerLabs/status/1409844721992749059

Black Basta (ELF)

ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.

The tag is: misp-galaxy:malpedia="Black Basta (ELF)"

Black Basta (ELF) is also known as:

Table 2375. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackbasta
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/
https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview
https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://stairwell.com/resources/stairwell-threat-report-black-basta-overview-and-detection-rules/
https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

BlackCat (ELF)

ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.

ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.

The tag is: misp-galaxy:malpedia="BlackCat (ELF)"

BlackCat (ELF) is also known as:

ALPHV
Noberus

Table 2376. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat
https://killingthebear.jorgetesta.tech/actors/alphv
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/
https://x.com/vxunderground/status/1731138180672344095?t=reBMQQFFMGQ_zkV8KmL_LA&s=01
https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://blog.group-ib.com/blackcat
https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3
https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/
https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/
https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/
https://securelist.com/a-bad-luck-blackcat/106254/
https://www.forescout.com/resources/analysis-of-an-alphv-incident
https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html
https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous
https://securelist.com/new-ransomware-trends-in-2022/106457/
https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive
https://www.intrinsec.com/alphv-ransomware-gang-analysis/
https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments
https://twitter.com/sisoma2/status/1473243875158499330
https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/
https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/

BlackMatter (ELF)

The tag is: misp-galaxy:malpedia="BlackMatter (ELF)"

BlackMatter (ELF) is also known as:

Table 2377. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://blog.group-ib.com/blackmatter2
https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://twitter.com/VK_Intel/status/1423188690126266370
https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group
https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://us-cert.cisa.gov/ncas/alerts/aa21-291a
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/
https://www.mandiant.com/resources/chasing-avaddon-ransomware
https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d
https://twitter.com/GelosSnake/status/1451465959894667275
https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf
https://www.youtube.com/watch?v=NIiEcOryLpI
https://blog.group-ib.com/blackmatter#

Blackrota

The tag is: misp-galaxy:malpedia="Blackrota"

Blackrota is also known as:

Table 2378. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota
https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/
https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

BlackSuit (ELF)

According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.

The tag is: misp-galaxy:malpedia="BlackSuit (ELF)"

BlackSuit (ELF) is also known as:

Table 2379. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blacksuit
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/
https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html

BOLDMOVE (ELF)

According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet’s SSL-VPN (CVE-2022-42475). There is also a Windows variant.

The tag is: misp-galaxy:malpedia="BOLDMOVE (ELF)"

BOLDMOVE (ELF) is also known as:

Table 2380. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove
https://services.google.com/fh/files/misc/01-chinese-espionage-article-m-trends-2024.pdf
https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html
https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

Break out the Box

This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".

It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.

The tag is: misp-galaxy:malpedia="Break out the Box"

Break out the Box is also known as:

BOtB

Table 2381. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb
https://github.com/brompwnie/botb

BotenaGo

According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits. SourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)

The tag is: misp-galaxy:malpedia="BotenaGo"

BotenaGo is also known as:

Table 2382. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.botenago
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux
https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/
https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github
https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits
https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/

BPFDoor

The tag is: misp-galaxy:malpedia="BPFDoor"

BPFDoor is also known as:

JustForFun

Table 2383. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor
https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/
https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf
https://www.mandiant.com/resources/blog/chinese-espionage-tactics
https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
https://troopers.de/troopers22/talks/7cv8pz/
https://twitter.com/cyb3rops/status/1523227511551033349
https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/
https://unfinished.bike/fun-with-the-new-bpfdoor-2023
https://twitter.com/CraigHRowland/status/1523266585133457408
https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
https://nikhilh-20.github.io/blog/cbpf_bpfdoor/
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896
https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor

brute_ratel

The tag is: misp-galaxy:malpedia="brute_ratel"

brute_ratel is also known as:

Table 2384. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.brute_ratel
https://bruteratel.com/

Bvp47

Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as "Operation Telescreen".

The tag is: misp-galaxy:malpedia="Bvp47"

Bvp47 is also known as:

Table 2385. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bvp47
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf
https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf
https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/
https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html
https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/

Caja

Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.

The tag is: misp-galaxy:malpedia="Caja"

Caja is also known as:

Table 2386. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.caja
https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ

Caligula

According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.

The tag is: misp-galaxy:malpedia="Caligula"

Caligula is also known as:

Table 2387. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.caligula
https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/

Capoae

XMRig-based mining malware written in Go.

The tag is: misp-galaxy:malpedia="Capoae"

Capoae is also known as:

Table 2388. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.capoae
https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread

CDorked

This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech

The tag is: misp-galaxy:malpedia="CDorked"

CDorked is also known as:

CDorked.A

Table 2389. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked
https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/
https://www.symantec.com/security-center/writeup/2013-050214-5501-99
https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html
https://blogs.cisco.com/security/linuxcdorked-faqs
https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

CDRThief

The tag is: misp-galaxy:malpedia="CDRThief"

CDRThief is also known as:

Table 2390. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief
https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/

Cephei

The tag is: misp-galaxy:malpedia="Cephei"

Cephei is also known as:

Table 2391. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei
https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader

Cetus

The tag is: misp-galaxy:malpedia="Cetus"

Cetus is also known as:

Table 2392. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus
https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/

Chalubo

Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.

The tag is: misp-galaxy:malpedia="Chalubo"

Chalubo is also known as:

ChaChaDDoS

Table 2393. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.chalubo
https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/
https://blog.centurylink.com/the-pumpkin-eclipse/
https://blog.lumen.com/the-pumpkin-eclipse/

Chaos (ELF)

Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.

The tag is: misp-galaxy:malpedia="Chaos (ELF)"

Chaos (ELF) is also known as:

Table 2394. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos
https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/

Chapro

The tag is: misp-galaxy:malpedia="Chapro"

Chapro is also known as:

Table 2395. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro
http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html
http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a

Chisel (ELF)

Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel

The tag is: misp-galaxy:malpedia="Chisel (ELF)"

Chisel (ELF) is also known as:

Table 2396. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/

Clop (ELF)

ELF version of clop ransomware.

The tag is: misp-galaxy:malpedia="Clop (ELF)"

Clop (ELF) is also known as:

Cl0p

Table 2397. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.clop
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/
https://www.helpnetsecurity.com/2023/02/07/cl0p-ransomware-decryptor-linux/
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/
https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

Cloud Snooper

The tag is: misp-galaxy:malpedia="Cloud Snooper"

Cloud Snooper is also known as:

Snoopy

Table 2398. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

ConnectBack

ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim’s device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.

The tag is: misp-galaxy:malpedia="ConnectBack"

ConnectBack is also known as:

Getshell

Table 2399. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback
https://labs.sucuri.net/signatures/malwares/pl-backdoor-connectback-001/

Conti (ELF)

Ransomware

The tag is: misp-galaxy:malpedia="Conti (ELF)"

Conti (ELF) is also known as:

Conti Locker

Table 2400. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti
https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.youtube.com/watch?v=cYx7sQRbjGA
https://resources.prodaft.com/wazawaka-report
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022
https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again
https://damonmccoy.com/papers/Ransomware_eCrime22.pdf
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html
https://securelist.com/new-ransomware-trends-in-2022/106457/
https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike
https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

The tag is: misp-galaxy:malpedia="Cpuminer (ELF)"

Cpuminer (ELF) is also known as:

Table 2401. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer
https://github.com/pooler/cpuminer
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/

Cr1ptT0r

The tag is: misp-galaxy:malpedia="Cr1ptT0r"

Cr1ptT0r is also known as:

CriptTor

Table 2402. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r
https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/
https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html
https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html

CronRAT

A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.

The tag is: misp-galaxy:malpedia="CronRAT"

CronRAT is also known as:

Table 2403. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cronrat
https://sansec.io/research/cronrat

CyclopsBlink

According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.

The tag is: misp-galaxy:malpedia="CyclopsBlink"

CyclopsBlink is also known as:

Table 2404. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink
https://www.cisa.gov/uscert/ncas/alerts/aa22-054a
https://www.theregister.com/2022/03/18/cyclops_asus_routers/
https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf
https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/
https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/
https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/
https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute
https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py
https://www.justice.gov/opa/press-release/file/1491281/download
https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/
https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
https://attack.mitre.org/groups/G0034
https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html

Dacls (ELF)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.

The tag is: misp-galaxy:malpedia="Dacls (ELF)"

Dacls (ELF) is also known as:

Table 2405. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://blog.netlab.360.com/dacls-the-dual-platform-rat/
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://securelist.com/apt-trends-report-q2-2020/97937/
https://vblocalhost.com/uploads/VB2021-Park.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
https://www.sygnia.co/mata-framework
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

Dark

Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.

The tag is: misp-galaxy:malpedia="Dark"

Dark is also known as:

Dark.IoT

Table 2406. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark
https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/
https://twitter.com/ESETresearch/status/1440052837820428298?s=20
https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities
https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx

DarkCracks

A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.

The tag is: misp-galaxy:malpedia="DarkCracks"

DarkCracks is also known as:

Table 2407. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkcracks
https://blog.xlab.qianxin.com/darkcracks-an-advanced-stealthy-payload-delivery-and-upgrade-framework/

Dark Nexus

The tag is: misp-galaxy:malpedia="Dark Nexus"

Dark Nexus is also known as:

Table 2408. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus
https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly
https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html

DarkSide (ELF)

The tag is: misp-galaxy:malpedia="DarkSide (ELF)"

DarkSide (ELF) is also known as:

Table 2409. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/
https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/
https://blog.group-ib.com/blackmatter2
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/
https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html
https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/
https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://therecord.media/popular-hacking-forum-bans-ransomware-ads/
https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.ic3.gov/Media/News/2021/211101.pdf
https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/
https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/
https://pylos.co/2021/05/13/mind-the-air-gap/
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/
https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims
https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
https://twitter.com/GelosSnake/status/1451465959894667275
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/
https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://twitter.com/JAMESWT_MHT/status/1388301138437578757
https://www.youtube.com/watch?v=NIiEcOryLpI
https://blog.group-ib.com/blackmatter#

DarkRadiation

The tag is: misp-galaxy:malpedia="DarkRadiation"

DarkRadiation is also known as:

Table 2410. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark_radiation
https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

The tag is: misp-galaxy:malpedia="DDG"

DDG is also known as:

Table 2411. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg
https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/
https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/
https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/
https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/
https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/

ddoor

The tag is: misp-galaxy:malpedia="ddoor"

ddoor is also known as:

Table 2412. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor
https://github.com/rek7/ddoor

DEADBOLT

DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.

The tag is: misp-galaxy:malpedia="DEADBOLT"

DEADBOLT is also known as:

Table 2413. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt
https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html
https://community.riskiq.com/article/1601124b
https://securelist.com/new-ransomware-trends-in-2022/106457/
https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/

Decoy Dog RAT

The tag is: misp-galaxy:malpedia="Decoy Dog RAT"

Decoy Dog RAT is also known as:

Table 2414. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.decoy_dog
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/

Denonia

Cado discovered this malware, written in Go and targeting AWS Lambda environments.

The tag is: misp-galaxy:malpedia="Denonia"

Denonia is also known as:

Table 2415. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia
https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/
https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html

Derusbi (ELF)

The tag is: misp-galaxy:malpedia="Derusbi (ELF)"

Derusbi (ELF) is also known as:

Table 2416. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi
https://attack.mitre.org/groups/G0001/
https://twitter.com/IntezerLabs/status/1407676522534735873?s=20
https://attack.mitre.org/groups/G0096

DISGOMOJI

The tag is: misp-galaxy:malpedia="DISGOMOJI"

DISGOMOJI is also known as:

Table 2417. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.disgomoji
https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/
https://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like

Dofloo

Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.

The tag is: misp-galaxy:malpedia="Dofloo"

Dofloo is also known as:

AESDDoS

Table 2418. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo

Doki

The tag is: misp-galaxy:malpedia="Doki"

Doki is also known as:

Table 2419. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki
https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
https://www.securecoding.com/blog/all-about-doki-malware/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

DoubleFantasy (ELF)

The tag is: misp-galaxy:malpedia="DoubleFantasy (ELF)"

DoubleFantasy (ELF) is also known as:

Table 2420. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy
https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/

DreamBus

The tag is: misp-galaxy:malpedia="DreamBus"

DreamBus is also known as:

Table 2421. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dreambus
https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability
https://www.aquasec.com/blog/aqua-cndr-stop-dreambus-botnet-attack/

Ebury

This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

The tag is: misp-galaxy:malpedia="Ebury"

Ebury is also known as:

Table 2422. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
https://security.web.cern.ch/security/advisories/windigo/windigo.shtml
https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/
https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy
https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf
https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download
https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf

Echobot

The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities

The tag is: misp-galaxy:malpedia="Echobot"

Echobot is also known as:

Table 2423. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/
https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/
https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html
https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits—targeting-scada
https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/

Elevator

The tag is: misp-galaxy:malpedia="Elevator"

Elevator is also known as:

Table 2424. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.elevator
https://blog.lumen.com/taking-the-elevator-down-to-ring-0/

EnemyBot

According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.

The tag is: misp-galaxy:malpedia="EnemyBot"

EnemyBot is also known as:

Table 2425. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot
https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory
https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/
https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers
https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux

Erebus (ELF)

The tag is: misp-galaxy:malpedia="Erebus (ELF)"

Erebus (ELF) is also known as:

Table 2426. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/

ESXiArgs

Ransomware used to target ESXi servers.

The tag is: misp-galaxy:malpedia="ESXiArgs"

ESXiArgs is also known as:

Table 2427. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.esxi_args
https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/
https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/
https://www.youtube.com/watch?v=bBcvqxPdjoI
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/

Evilginx

According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.

The tag is: misp-galaxy:malpedia="Evilginx"

Evilginx is also known as:

Table 2428. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilginx
https://osamaellahi.medium.com/the-art-of-defense-evasion-part-3-bypass-multi-factor-authentication-mfa-26d3a87dea0f
https://github.com/kgretzky/evilginx2
https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2

EvilGnome

According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.

The tag is: misp-galaxy:malpedia="EvilGnome"

EvilGnome is also known as:

Table 2429. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/
https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf

EwDoor

The tag is: misp-galaxy:malpedia="EwDoor"

EwDoor is also known as:

Table 2430. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ewdoor
https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/

Exaramel (ELF)

The tag is: misp-galaxy:malpedia="Exaramel (ELF)"

Exaramel (ELF) is also known as:

Table 2431. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
https://www.wired.com/story/sandworm-centreon-russia-hack/
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://twitter.com/craiu/status/1361581668092493824
https://attack.mitre.org/groups/G0034

ext4

The tag is: misp-galaxy:malpedia="ext4"

ext4 is also known as:

Table 2432. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4
https://www.recordedfuture.com/chinese-cyberespionage-operations
https://www.recordedfuture.com/chinese-cyberespionage-operations/

Facefish

The tag is: misp-galaxy:malpedia="Facefish"

Facefish is also known as:

Table 2433. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish
https://blog.netlab.360.com/ssh_stealer_facefish_en/

FBot

The tag is: misp-galaxy:malpedia="FBot"

FBot is also known as:

Table 2434. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot
https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html
https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/
https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html

FinFisher (ELF)

The tag is: misp-galaxy:malpedia="FinFisher (ELF)"

FinFisher (ELF) is also known as:

Table 2435. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
https://securelist.com/finspy-unseen-findings/104322/
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/

floodor

The tag is: misp-galaxy:malpedia="floodor"

floodor is also known as:

Table 2436. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor
https://github.com/Thibault-69/Floodor

Fodcha

Malware used to run a DDoS botnet.

The tag is: misp-galaxy:malpedia="Fodcha"

Fodcha is also known as:

Table 2437. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fodcha
https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/
https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/

FontOnLake

This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.

It comes with a rootkit as well.

The tag is: misp-galaxy:malpedia="FontOnLake"

FontOnLake is also known as:

Table 2438. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/

FritzFrog

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.

The tag is: misp-galaxy:malpedia="FritzFrog"

FritzFrog is also known as:

Table 2439. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog
https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/
https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break
https://www.akamai.com/blog/security/fritzfrog-a-new-generation-of-peer-to-peer-botnets
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/
https://www.akamai.com/blog/security/fritzfrog-p2p
https://www.cyberkendra.com/2024/02/fritzfrog-botnet-expands-attack-arsenal.html

Gitpaste-12

Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.

The tag is: misp-galaxy:malpedia="Gitpaste-12"

Gitpaste-12 is also known as:

Table 2440. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12
https://blogs.juniper.net/en-us/threat-research/gitpaste-12

Glupteba Proxy

ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.

The tag is: misp-galaxy:malpedia="Glupteba Proxy"

Glupteba Proxy is also known as:

Table 2441. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.glupteba_proxy
https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html
https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/

GobRAT

The tag is: misp-galaxy:malpedia="GobRAT"

GobRAT is also known as:

Table 2442. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gobrat
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html

Godlua

The tag is: misp-galaxy:malpedia="Godlua"

Godlua is also known as:

Table 2443. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

Gomir

The tag is: misp-galaxy:malpedia="Gomir"

Gomir is also known as:

Table 2444. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gomir
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage

GOSH

The tag is: misp-galaxy:malpedia="GOSH"

GOSH is also known as:

Table 2445. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh
https://twitter.com/IntezerLabs/status/1291355808811409408

GoTitan

GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

The tag is: misp-galaxy:malpedia="GoTitan"

GoTitan is also known as:

Table 2446. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gotitan
https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq

GreedyAntd

The tag is: misp-galaxy:malpedia="GreedyAntd"

GreedyAntd is also known as:

Table 2447. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd
https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/

Gwisin (ELF)

The tag is: misp-galaxy:malpedia="Gwisin (ELF)"

Gwisin (ELF) is also known as:

Table 2448. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gwisin
https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/

HabitsRAT (ELF)

The tag is: misp-galaxy:malpedia="HabitsRAT (ELF)"

HabitsRAT (ELF) is also known as:

Table 2449. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat
https://twitter.com/michalmalik/status/1435918937162715139

Hadooken

The tag is: misp-galaxy:malpedia="Hadooken"

Hadooken is also known as:

Table 2450. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hadooken
https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/
https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/

Haiduc

The tag is: misp-galaxy:malpedia="Haiduc"

Haiduc is also known as:

Table 2451. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc
https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf

Hajime

The tag is: misp-galaxy:malpedia="Hajime"

Hajime is also known as:

Table 2452. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime
https://x86.re/blog/hajime-a-follow-up/
https://blog.netlab.360.com/quick-summary-port-8291-scan-en/
https://github.com/Psychotropos/hajime_hashes
https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461
https://par.nsf.gov/servlets/purl/10096257
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/
http://blog.netlab.360.com/hajime-status-report-en/
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf

Hakai

The tag is: misp-galaxy:malpedia="Hakai"

Hakai is also known as:

Table 2453. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

HandyMannyPot

The tag is: misp-galaxy:malpedia="HandyMannyPot"

HandyMannyPot is also known as:

Table 2454. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot
https://twitter.com/liuya0904/status/1171633662502350848

Hand of Thief

The tag is: misp-galaxy:malpedia="Hand of Thief"

Hand of Thief is also known as:

Hanthie

Table 2455. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/
https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/

HeadCrab

The tag is: misp-galaxy:malpedia="HeadCrab"

HeadCrab is also known as:

Table 2456. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.headcrab
https://www.aquasec.com/blog/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware/
https://www.aquasec.com/blog/headcrab-2-0-evolving-threat-in-redis-malware-landscape/

HellDown

Ransomware.

The tag is: misp-galaxy:malpedia="HellDown"

HellDown is also known as:

Table 2457. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.helldown
https://x.com/nextronresearch/status/1851983952409473308

HelloBot (ELF)

The tag is: misp-galaxy:malpedia="HelloBot (ELF)"

HelloBot (ELF) is also known as:

Table 2458. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellobot
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
https://blog.exatrack.com/melofee/

HelloKitty (ELF)

Linux version of the HelloKitty ransomware.

The tag is: misp-galaxy:malpedia="HelloKitty (ELF)"

HelloKitty (ELF) is also known as:

Table 2459. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group
https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225

HiatusRAT

Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.

The tag is: misp-galaxy:malpedia="HiatusRAT"

HiatusRAT is also known as:

Table 2460. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiatus_rat
https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/
https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/

HiddenWasp

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.

The tag is: misp-galaxy:malpedia="HiddenWasp"

HiddenWasp is also known as:

Table 2461. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Hide and Seek

The tag is: misp-galaxy:malpedia="Hide and Seek"

Hide and Seek is also known as:

Table 2462. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek
https://blog.avast.com/hide-n-seek-botnet-continues
https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code—hide—n-seek-bot.html
https://threatlabs.avast.com/botnet
https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/
https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/
https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/
https://blog.netlab.360.com/hns-botnet-recent-activities-en/

HinataBot

HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.

The tag is: misp-galaxy:malpedia="HinataBot"

HinataBot is also known as:

Table 2463. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet

Hipid

The tag is: misp-galaxy:malpedia="Hipid"

Hipid is also known as:

Table 2464. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hipid
https://blogs.jpcert.or.jp/en/2022/09/bigip-exploit.html

Hive (ELF)

The tag is: misp-galaxy:malpedia="Hive (ELF)"

Hive (ELF) is also known as:

Table 2465. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html
https://arxiv.org/pdf/2202.08477.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
https://twitter.com/malwrhunterteam/status/1455628865229950979
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive
https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/
https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html
https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/
https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again
https://github.com/reecdeep/HiveV5_file_decryptor
https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://github.com/rivitna/Malware/tree/main/Hive
https://twitter.com/ESETresearch/status/1454100591261667329
https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/
https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf
https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://blog.group-ib.com/hive

Horse Shell

Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities: * Remote shell: Execution of arbitrary shell commands on the infected router * File transfer: Upload and download files to and from the infected router. * SOCKS tunneling: Relay communication between different clients.

The tag is: misp-galaxy:malpedia="Horse Shell"

Horse Shell is also known as:

Table 2466. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/

Hubnr

The tag is: misp-galaxy:malpedia="Hubnr"

Hubnr is also known as:

Table 2467. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hubnr
https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet

HyperSSL (ELF)

The tag is: misp-galaxy:malpedia="HyperSSL (ELF)"

HyperSSL (ELF) is also known as:

SysUpdate

Table 2468. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hyperssl
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

iceFire

The tag is: misp-galaxy:malpedia="iceFire"

iceFire is also known as:

Table 2469. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.icefire
https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/

Icnanker

The tag is: misp-galaxy:malpedia="Icnanker"

Icnanker is also known as:

Table 2470. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker
https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/

INC

The tag is: misp-galaxy:malpedia="INC"

INC is also known as:

Table 2471. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.inc
https://twitter.com/malwrhunterteam/status/1689029459255373826
https://cisoseries.com/cybersecurity-news-inc-targets-healthcare-providence-schools-cyberattack-apple-ipads-bricked/
https://nikhilh-20.github.io/blog/inc_ransomware/
https://x.com/MsftSecIntel/status/1836456406276342215

IoT Reaper

The tag is: misp-galaxy:malpedia="IoT Reaper"

IoT Reaper is also known as:

IoTroop
Reaper
iotreaper

Table 2472. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper
https://research.checkpoint.com/new-iot-botnet-storm-coming/
http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm

IPStorm (ELF)

The tag is: misp-galaxy:malpedia="IPStorm (ELF)"

IPStorm (ELF) is also known as:

InterPlanetary Storm

Table 2473. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm
https://maldbg.com/ipstorm-golang-malware-windows
https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/
https://www.justice.gov/usao-pr/pr/russian-and-moldovan-national-pleads-guilty-operating-illegal-botnet-proxy-service
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

IZ1H9

ccording to Fortinet, this is a Mirai-based DDoS botnet.

The tag is: misp-galaxy:malpedia="IZ1H9"

IZ1H9 is also known as:

Table 2474. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.iz1h9
https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

JenX

The tag is: misp-galaxy:malpedia="JenX"

JenX is also known as:

Table 2475. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx
https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/

Kaden

Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet).

The tag is: misp-galaxy:malpedia="Kaden"

Kaden is also known as:

Table 2476. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaden
https://www.forescout.com/blog/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet/

Kaiji

Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.

The tag is: misp-galaxy:malpedia="Kaiji"

Kaiji is also known as:

Table 2477. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji
https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/
https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.elastic.co/security-labs/betting-on-bots

Kaiten

According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

The tag is: misp-galaxy:malpedia="Kaiten"

Kaiten is also known as:

Table 2478. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf
https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/
https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html
https://www.lacework.com/blog/the-kek-security-network/
https://www.lacework.com/the-kek-security-network/

kerberods

The tag is: misp-galaxy:malpedia="kerberods"

kerberods is also known as:

Table 2479. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/
https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916
https://blog.talosintelligence.com/2019/09/watchbog-patching.html

KEYPLUG

The tag is: misp-galaxy:malpedia="KEYPLUG"

KEYPLUG is also known as:

ELFSHELF

Table 2480. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
https://www.mandiant.com/resources/mobileiron-log4shell-exploitation
https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf
https://twitter.com/CyberJack42/status/1501290277864046595
https://experience.mandiant.com/trending-evil/p/1
https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/
https://web.archive.org/web/20240523105313/https://yoroi.company/en/research/uncovering-an-undetected-keyplug-implant-attacking-industries-in-italy/
https://www.mandiant.com/resources/apt41-us-state-governments

kfos

The tag is: misp-galaxy:malpedia="kfos"

kfos is also known as:

Table 2481. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kfos
https://twitter.com/r3dbU7z/status/1378564694462586880

Kinsing

The tag is: misp-galaxy:malpedia="Kinsing"

Kinsing is also known as:

h2miner

Table 2482. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/
https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces
https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/
https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/
https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html
https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html
https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/
https://redcanary.com/blog/kinsing-malware-citrix-saltstack/
https://www.aquasec.com/blog/aqua-cndr-stop-dreambus-botnet-attack/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://1665891.fs1.hubspotusercontent-na1.net/hubfs/1665891/Threat%20reports/AquaSecurity_Kinsing_Demystified_Technical_Guide.pdf
https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743
https://www.aquasec.com/blog/kinsing-malware-exploits-novel-openfire-vulnerability/
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html
https://unit42.paloaltonetworks.com/atoms/moneylibra/
https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts
https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://twitter.com/IntezerLabs/status/1259818964848386048
https://twitter.com/MsftSecIntel/status/1535417776290111489
https://unit42.paloaltonetworks.com/cve-2020-25213/
https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability

KIVARS (ELF)

The tag is: misp-galaxy:malpedia="KIVARS (ELF)"

KIVARS (ELF) is also known as:

Table 2483. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kivars
https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html

Kobalos

The tag is: misp-galaxy:malpedia="Kobalos"

Kobalos is also known as:

Table 2484. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos
https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf

Krasue RAT

The tag is: misp-galaxy:malpedia="Krasue RAT"

Krasue RAT is also known as:

Table 2485. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.krasue_rat
https://www.group-ib.com/blog/krasue-rat/

KrustyLoader

ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.

The tag is: misp-galaxy:malpedia="KrustyLoader"

KrustyLoader is also known as:

Table 2486. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader
https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

KTLVdoor (ELF)

According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.

The tag is: misp-galaxy:malpedia="KTLVdoor (ELF)"

KTLVdoor (ELF) is also known as:

Table 2487. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ktlv_door
https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html

Kuiper (ELF)

The tag is: misp-galaxy:malpedia="Kuiper (ELF)"

Kuiper (ELF) is also known as:

Table 2488. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kuiper
https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/

Lady

The tag is: misp-galaxy:malpedia="Lady"

Lady is also known as:

Table 2489. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady
https://news.drweb.com/news/?i=10140&lng=en

LeetHozer

The tag is: misp-galaxy:malpedia="LeetHozer"

LeetHozer is also known as:

Table 2490. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer
https://blog.netlab.360.com/the-leethozer-botnet-en/

Lightning Framework

The tag is: misp-galaxy:malpedia="Lightning Framework"

Lightning Framework is also known as:

Table 2491. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lightning
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/

LiLock

The tag is: misp-galaxy:malpedia="LiLock"

LiLock is also known as:

Lilocked
Lilu

Table 2492. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock
https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/
https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html
https://fossbytes.com/lilocked-ransomware-infected-linux-servers/

lilyofthevalley

The tag is: misp-galaxy:malpedia="lilyofthevalley"

lilyofthevalley is also known as:

Table 2493. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley
https://github.com/En14c/LilyOfTheValley

Linodas

The tag is: misp-galaxy:malpedia="Linodas"

Linodas is also known as:

DinodasRAT
XDealer

Table 2494. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.linodas
https://research.checkpoint.com/2024/29676/

LiquorBot

BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

The tag is: misp-galaxy:malpedia="LiquorBot"

LiquorBot is also known as:

Table 2495. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot
https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/
https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/

LockBit (ELF)

The tag is: misp-galaxy:malpedia="LockBit (ELF)"

LockBit (ELF) is also known as:

Table 2496. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit
https://analyst1.com/ransomware-diaries-volume-1/
https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group
https://www.ic3.gov/Media/News/2022/220204.pdf
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html
https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79
https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/
https://github.com/prodaft/malware-ioc/tree/master/PTI-257
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/
https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/
https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation
https://securelist.com/crimeware-report-lockbit-switchsymb/110068/
https://blog.compass-security.com/2022/03/vpn-appliance-forensics/
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/
https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/
https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf
https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/
https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://security.packt.com/understanding-lockbit/
https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants
https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

The tag is: misp-galaxy:malpedia="Loerbas"

Loerbas is also known as:

Table 2497. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas
https://www.cadosecurity.com/2020/05/16/1318/
https://twitter.com/nunohaien/status/1261281419483140096
https://atdotde.blogspot.com/2020/05/high-performance-hackers.html

Log Collector

The tag is: misp-galaxy:malpedia="Log Collector"

Log Collector is also known as:

Table 2498. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector
https://blog.netlab.360.com/dacls-the-dual-platform-rat/

Lootwodniw

The tag is: misp-galaxy:malpedia="Lootwodniw"

Lootwodniw is also known as:

Table 2499. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw
https://twitter.com/ddash_ct/status/1326887125103616000

Luna

ESXi encrypting ransomware written in Rust.

The tag is: misp-galaxy:malpedia="Luna"

Luna is also known as:

Table 2500. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.luna
https://nikhilh-20.github.io/blog/luna_ransomware/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

Manjusaka (ELF)

Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.

The tag is: misp-galaxy:malpedia="Manjusaka (ELF)"

Manjusaka (ELF) is also known as:

Table 2501. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.manjusaka
https://github.com/avast/ioc/tree/master/Manjusaka
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html

Masuta

Masuta takes advantage of the EDB 38722 D-Link exploit.

The tag is: misp-galaxy:malpedia="Masuta"

Masuta is also known as:

PureMasuta

Table 2502. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta
https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7
https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes
https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/

Matryosh

The tag is: misp-galaxy:malpedia="Matryosh"

Matryosh is also known as:

Table 2503. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh
https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/

Melofee

The tag is: misp-galaxy:malpedia="Melofee"

Melofee is also known as:

Mélofée

Table 2504. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.melofee
https://asec.ahnlab.com/en/55785/
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/
https://blog.exatrack.com/melofee/

MESSAGETAP

MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

The tag is: misp-galaxy:malpedia="MESSAGETAP"

MESSAGETAP is also known as:

Table 2505. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html
https://attack.mitre.org/groups/G0096
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

Midrashim

A x64 ELF file infector with non-destructive payload.

The tag is: misp-galaxy:malpedia="Midrashim"

Midrashim is also known as:

Table 2506. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim
https://www.guitmz.com/linux-midrashim-elf-virus/
https://github.com/guitmz/midrashim

MiKey

The tag is: misp-galaxy:malpedia="MiKey"

MiKey is also known as:

Table 2507. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey
https://securitykitten.github.io/2016/12/14/mikey.html
https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md

Mirai (ELF)

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

The tag is: misp-galaxy:malpedia="Mirai (ELF)"

Mirai (ELF) is also known as:

Katana

Table 2508. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html
https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/
https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/
https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot
https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html
https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt
https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/
https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/
https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html
https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/
https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group
https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf
https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet
https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space
https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/
https://blog.xlab.qianxin.com/mirai-nomi-en/
https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039
https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18
https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/
https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/
https://synthesis.to/2021/06/30/automating_string_decryption.html
https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/
https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/
https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://github.com/jgamblin/Mirai-Source-Code
https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/
https://isc.sans.edu/diary/22786
https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/
https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/
https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/
https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html
https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/
https://unit42.paloaltonetworks.com/cve-2020-17496/
https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/
https://www.youtube.com/watch?v=KVJyYTie-Dc
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/
https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/
https://deform.co/the-infamous-mirai-trojan-evolves-new-pandora-variant-targets-android-tvs/
https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts
http://osint.bambenekconsulting.com/feeds/
https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/
https://www.cisecurity.org/insights/blog/top-10-malware-march-2022
https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/
https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html
https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants
https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx
https://community.riskiq.com/article/d8a78daf
https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/
https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/
http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/
https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/
https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/
https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet
https://twitter.com/MsftSecIntel/status/1535417776290111489
https://cert.gov.ua/article/37139

Mokes (ELF)

The tag is: misp-galaxy:malpedia="Mokes (ELF)"

Mokes (ELF) is also known as:

Table 2509. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes
https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/

Momentum

The tag is: misp-galaxy:malpedia="Momentum"

Momentum is also known as:

Table 2510. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.momentum
https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html

Monti

A ransomware, derived from the leaked Conti source code.

The tag is: misp-galaxy:malpedia="Monti"

Monti is also known as:

Table 2511. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.monti
https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html
https://resources.prodaft.com/wazawaka-report

MooBot

The tag is: misp-galaxy:malpedia="MooBot"

MooBot is also known as:

Table 2512. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot
https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b
https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-RUSSIAN-ACTORS-USE-ROUTERS-FACILITATE-CYBER_OPERATIONS.PDF
https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
https://blog.netlab.360.com/ddos-botnet-moobot-en/
https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/
https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability
https://unit42.paloaltonetworks.com/moobot-d-link-devices/

Moose

The tag is: misp-galaxy:malpedia="Moose"

Moose is also known as:

Table 2513. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose
http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/
http://www.welivesecurity.com/2015/05/26/moose-router-worm/
https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf
http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/

Mozi

Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.

The tag is: misp-galaxy:malpedia="Mozi"

Mozi is also known as:

Table 2514. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/
https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave
https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/
https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/
https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/
https://blog.netlab.360.com/mozi-another-botnet-using-dht/
https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/
https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/
https://www.youtube.com/watch?v=cDFO_MRlg3M
https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf
https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/

MrBlack

MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.

MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.

The tag is: misp-galaxy:malpedia="MrBlack"

MrBlack is also known as:

AESDDoS
Dofloo

Table 2515. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack
https://news.drweb.com/?i=5760&c=23&lng=en
https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/
https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf
https://blog.syscall.party/post/aes-ddos-analysis-part-1/
https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf

Mumblehard

The tag is: misp-galaxy:malpedia="Mumblehard"

Mumblehard is also known as:

Table 2516. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mumblehard
https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf

Nextcry

Ransomware used against Linux servers.

The tag is: misp-galaxy:malpedia="Nextcry"

Nextcry is also known as:

Table 2517. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry
https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/

Ngioweb (ELF)

The tag is: misp-galaxy:malpedia="Ngioweb (ELF)"

Ngioweb (ELF) is also known as:

Table 2518. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb
https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/
https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/
https://twitter.com/IntezerLabs/status/1324346324683206657

Nimbo-C2 (ELF)

According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It’s written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).

The tag is: misp-galaxy:malpedia="Nimbo-C2 (ELF)"

Nimbo-C2 (ELF) is also known as:

Table 2519. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.nimbo_c2
https://github.com/itaymigdal/Nimbo-C2

NiuB

Golang-based RAT that offers execution of shell commands and download+run capability.

The tag is: misp-galaxy:malpedia="NiuB"

NiuB is also known as:

Table 2520. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.niub
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/

NoaBot

The tag is: misp-galaxy:malpedia="NoaBot"

NoaBot is also known as:

Table 2521. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.noabot
https://nikhilh-20.github.io/blog/noabot_botnet/
https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining

Nood RAT

The tag is: misp-galaxy:malpedia="Nood RAT"

Nood RAT is also known as:

Table 2522. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.noodrat
https://asec.ahnlab.com/en/62144/

Nosedive

According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.

The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.

The tag is: misp-galaxy:malpedia="Nosedive"

Nosedive is also known as:

Table 2523. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.nosedive
https://assets.lumen.com/is/content/Lumen/raptor-train-handbook-copy
https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF
https://blog.lumen.com/derailing-the-raptor-train/
https://www.justice.gov/d9/2024-09/redacted_24-mj-1484_signed_search_and_seizure_warrant_for_disclosure.pdf

NOTROBIN

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

The tag is: misp-galaxy:malpedia="NOTROBIN"

NOTROBIN is also known as:

remove_bds

Table 2524. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin
https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/
https://news.sophos.com/en-us/2020/05/21/asnarok2/
https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/
https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html
https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

OrBit

According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.

The tag is: misp-galaxy:malpedia="OrBit"

OrBit is also known as:

Table 2525. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.orbit
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/

Owari

Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.

The tag is: misp-galaxy:malpedia="Owari"

Owari is also known as:

Table 2526. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari
https://twitter.com/hrbrmstr/status/1019922651203227653
https://twitter.com/360Netlab/status/1019759516789821441
https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863
https://twitter.com/ankit_anubhav/status/1019647993547550720
https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/
https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

p0sT5n1F3r

According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.

The tag is: misp-galaxy:malpedia="p0sT5n1F3r"

p0sT5n1F3r is also known as:

Table 2527. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r
https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf

P2Pinfect

P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.

The tag is: misp-galaxy:malpedia="P2Pinfect"

P2Pinfect is also known as:

Table 2528. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect
https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/
https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer
https://www.cadosecurity.com/redis-p2pinfect/
https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/
https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/
https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform

pbot

P2P botnet derived from the Mirai source code.

The tag is: misp-galaxy:malpedia="pbot"

pbot is also known as:

Table 2529. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot
https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html

Penquin Turla

The tag is: misp-galaxy:malpedia="Penquin Turla"

Penquin Turla is also known as:

Table 2530. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf
https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
https://lab52.io/blog/looking-for-penquins-in-the-wild/
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf
https://twitter.com/juanandres_gs/status/944741575837528064
https://www.youtube.com/watch?v=JXsjRUxx47E
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

perfctl

The tag is: misp-galaxy:malpedia="perfctl"

perfctl is also known as:

perfcc

Table 2531. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.perfctl
https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
https://www.cadosecurity.com/blog/from-automation-to-exploitation-the-growing-misuse-of-selenium-grid-for-cryptomining-and-proxyjacking

PerlBot

The tag is: misp-galaxy:malpedia="PerlBot"

PerlBot is also known as:

DDoS Perl IrcBot
ShellBot

Table 2532. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot
https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html
https://sysdig.com/blog/malware-analysis-shellbot-sysdig/
https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/
https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/
https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://twitter.com/Nocturnus/status/1308430959512092673
https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/
https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf
https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/
https://unit42.paloaltonetworks.com/cve-2020-17496/
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
https://asec.ahnlab.com/en/49769/
https://asec.ahnlab.com/en/54647/
https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/

Persirai

The tag is: misp-galaxy:malpedia="Persirai"

Persirai is also known as:

Table 2533. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai
http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

PG_MEM

The tag is: misp-galaxy:malpedia="PG_MEM"

PG_MEM is also known as:

Table 2534. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pg_mem
https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/

PigmyGoat

The tag is: misp-galaxy:malpedia="PigmyGoat"

PigmyGoat is also known as:

Table 2535. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pigmy_goat
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf

PingPull

The tag is: misp-galaxy:malpedia="PingPull"

PingPull is also known as:

Table 2536. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pingpull
https://unit42.paloaltonetworks.com/alloy-taurus/
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/

Pink

A botnet with P2P and centralized C&C capabilities.

The tag is: misp-galaxy:malpedia="Pink"

Pink is also known as:

Table 2537. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pink
https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/
https://blog.netlab.360.com/pink-en/

PLEAD (ELF)

The tag is: misp-galaxy:malpedia="PLEAD (ELF)"

PLEAD (ELF) is also known as:

Table 2538. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/
https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://jp.security.ntt/resources/EN-BlackTech_2021.pdf
https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020

Poseidon (ELF)

Part of Mythic C2, written in Golang.

The tag is: misp-galaxy:malpedia="Poseidon (ELF)"

Poseidon (ELF) is also known as:

Table 2539. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.poseidon
https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/
https://github.com/MythicAgents/poseidon
https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/
https://cert.gov.ua/article/6123309

PRISM

The tag is: misp-galaxy:malpedia="PRISM"

PRISM is also known as:

waterdrop

Table 2540. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar

PrivetSanya

Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.

The tag is: misp-galaxy:malpedia="PrivetSanya"

PrivetSanya is also known as:

Table 2541. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya
https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/

Prometei (ELF)

The tag is: misp-galaxy:malpedia="Prometei (ELF)"

Prometei (ELF) is also known as:

Table 2542. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei
https://twitter.com/IntezerLabs/status/1338480158249013250
https://cujo.com/iot-malware-journals-prometei-linux/
https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—a-ransomware—and-a-botnet-join-the-part.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html
https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

Pro-Ocean

Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.

The tag is: misp-galaxy:malpedia="Pro-Ocean"

Pro-Ocean is also known as:

Table 2543. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean
https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/
https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/

pupy (ELF)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

The tag is: misp-galaxy:malpedia="pupy (ELF)"

pupy (ELF) is also known as:

Table 2544. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf
https://github.com/n1nj4sec/pupy

Qilin

The tag is: misp-galaxy:malpedia="Qilin"

Qilin is also known as:

Table 2545. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.qilin
https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/
https://twitter.com/malwrhunterteam/status/1724521714845937822

QNAPCrypt

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

The tag is: misp-galaxy:malpedia="QNAPCrypt"

QNAPCrypt is also known as:

eCh0raix

Table 2546. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/
https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/
https://www.qnap.com/en/security-advisory/QSA-20-02
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/
https://www.ibm.com/downloads/cas/Z81AVOY7
https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/
https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf
https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/
https://www.anomali.com/blog/the-ech0raix-ransomware

QSnatch

The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes

The tag is: misp-galaxy:malpedia="QSnatch"

QSnatch is also known as:

Table 2547. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch
https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html
https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf
https://bin.re/blog/the-dga-of-qsnatch/
https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices
https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-209a

QUIETEXIT

Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.

The tag is: misp-galaxy:malpedia="QUIETEXIT"

QUIETEXIT is also known as:

Table 2548. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit
https://www.mandiant.com/resources/unc3524-eye-spy-email
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023

r2r2

The tag is: misp-galaxy:malpedia="r2r2"

r2r2 is also known as:

Table 2549. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2
https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/

RagnarLocker (ELF)

The tag is: misp-galaxy:malpedia="RagnarLocker (ELF)"

RagnarLocker (ELF) is also known as:

Table 2550. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://techcrunch.com/2023/10/20/ragnarlocker-ransomware-dark-web-portal-seized-in-international-sting/?guccounter=1
https://twitter.com/malwrhunterteam/status/1475568201673105409
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html

Rakos

The tag is: misp-galaxy:malpedia="Rakos"

Rakos is also known as:

Table 2551. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos
https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22
http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/

RansomEXX (ELF)

According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.

The tag is: misp-galaxy:malpedia="RansomEXX (ELF)"

RansomEXX (ELF) is also known as:

Defray777

Table 2552. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf
https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.ic3.gov/Media/News/2021/211101.pdf
https://www.sentinelone.com/anthology/ransomexx/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195
https://securityintelligence.com/x-force/ransomexx-upgrades-rust/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

RansomExx2

According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.

The tag is: misp-galaxy:malpedia="RansomExx2"

RansomExx2 is also known as:

Table 2553. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx2
https://securityintelligence.com/x-force/ransomexx-upgrades-rust/

RapperBot

A Mirai derivate bruteforcing SSH servers.

The tag is: misp-galaxy:malpedia="RapperBot"

RapperBot is also known as:

Table 2554. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rapper_bot
https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery
https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/
https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks

RaspberryPiBotnet

The tag is: misp-galaxy:malpedia="RaspberryPiBotnet"

RaspberryPiBotnet is also known as:

Table 2555. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet
https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/

rat_hodin

The tag is: misp-galaxy:malpedia="rat_hodin"

rat_hodin is also known as:

Table 2556. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin
https://github.com/Thibault-69/RAT-Hodin-v2.5

rbs_srv

The tag is: misp-galaxy:malpedia="rbs_srv"

rbs_srv is also known as:

Table 2557. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv
https://github.com/Thibault-69/Remote_Shell

RedTail

RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as: - CVE-2024-3400 - CVE-2023-46805 - CVE-2024-21887 - CVE-2023-1389 - CVE-2022-22954 - CVE-2018-20062

The tag is: misp-galaxy:malpedia="RedTail"

RedTail is also known as:

Table 2558. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.redtail
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

RedXOR

RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group.

RedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP.

The malware can execute various commands including system information collection, updates, shell commands, and network tunneling.

The tag is: misp-galaxy:malpedia="RedXOR"

RedXOR is also known as:

Table 2559. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.redxor
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/

RedAlert Ransomware

Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.

The tag is: misp-galaxy:malpedia="RedAlert Ransomware"

RedAlert Ransomware is also known as:

N13V

Table 2560. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert
https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/

Rekoobe

A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm

The tag is: misp-galaxy:malpedia="Rekoobe"

Rekoobe is also known as:

Table 2561. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe
https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt
https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users
https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://asec.ahnlab.com/en/55229/
https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/
https://vms.drweb.com/virus/?i=7754026&lng=en
https://sansec.io/research/rekoobe-fishpig-magento
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/
https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/
https://twitter.com/billyleonard/status/1458531997576572929

reptile

The tag is: misp-galaxy:malpedia="reptile"

reptile is also known as:

Table 2562. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile
https://asec.ahnlab.com/en/55785/
https://github.com/f0rb1dd3n/Reptile
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
https://dfir.ch/posts/reptile_launcher/
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

REvil (ELF)

ELF version of win.revil targeting VMware ESXi hypervisors.

The tag is: misp-galaxy:malpedia="REvil (ELF)"

REvil (ELF) is also known as:

REvix

Table 2563. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil
https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/
https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.youtube.com/watch?v=ptbNMlWxYnE
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://malienist.medium.com/revix-linux-ransomware-d736956150d0
https://home.treasury.gov/news/press-releases/jy0471
https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom
https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.flashpoint-intel.com/blog/revil-disappears-again/
https://threatpost.com/ransomware-revil-sites-disappears/167745/
https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version
https://www.bbc.com/news/technology-59297187
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo
https://ke-la.com/will-the-revils-story-finally-be-over/
https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil
https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil
https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/
https://twitter.com/IntezerLabs/status/1452980772953071619
https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/
https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend
https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5
https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released
https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf
https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment
https://twitter.com/VK_Intel/status/1409601311092490248
https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/
https://github.com/f0wl/REconfig-linux
https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021
https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.youtube.com/watch?v=mDUMpYAOMOo
https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf
https://angle.ankura.com/post/102hcny/revix-linux-ransomware
https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya
https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html
https://twitter.com/VK_Intel/status/1409601311092490248?s=20
https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20
http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/
https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf
https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/
https://analyst1.com/file-assets/History-of-REvil.pdf

Rex

The tag is: misp-galaxy:malpedia="Rex"

Rex is also known as:

Table 2564. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex
https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/

RHOMBUS

The tag is: misp-galaxy:malpedia="RHOMBUS"

RHOMBUS is also known as:

Table 2565. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus
https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/

Rhysida (ELF)

The tag is: misp-galaxy:malpedia="Rhysida (ELF)"

Rhysida (ELF) is also known as:

Table 2566. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhysida
https://twitter.com/malwrhunterteam/status/1724165711356993736
https://www.shadowstackre.com/analysis/rhysida
https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation

Roboto

P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.

The tag is: misp-galaxy:malpedia="Roboto"

Roboto is also known as:

Table 2567. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto
https://blog.netlab.360.com/the-awaiting-roboto-botnet-en
https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin

RotaJakiro

RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.

The tag is: misp-galaxy:malpedia="RotaJakiro"

RotaJakiro is also known as:

Table 2568. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro
https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/
https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

Royal Ransom (ELF)

According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.

The tag is: misp-galaxy:malpedia="Royal Ransom (ELF)"

Royal Ransom (ELF) is also known as:

Royal
Royal_unix

Table 2569. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.royal_ransom
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/
https://unit42.paloaltonetworks.com/royal-ransomware/
https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/

Rshell

The tag is: misp-galaxy:malpedia="Rshell"

Rshell is also known as:

Table 2570. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rshell
https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

RudeDevil

The tag is: misp-galaxy:malpedia="RudeDevil"

RudeDevil is also known as:

Table 2571. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rude_devil
https://www.elastic.co/security-labs/betting-on-bots

SALTWATER

According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.

The tag is: misp-galaxy:malpedia="SALTWATER"

SALTWATER is also known as:

Table 2572. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.saltwater
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
https://www.mandiant.com/resources/blog/chinese-espionage-tactics

Satori

Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).

The tag is: misp-galaxy:malpedia="Satori"

Satori is also known as:

Table 2573. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori
https://www.arbornetworks.com/blog/asert/the-arc-of-satori/
https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/
https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/
http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori
http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/
http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/
https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/

SBIDIOT

The tag is: misp-galaxy:malpedia="SBIDIOT"

SBIDIOT is also known as:

Table 2574. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sbidiot
https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/
https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/
https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r".

The tag is: misp-galaxy:malpedia="SEASPY"

SEASPY is also known as:

Table 2575. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.seaspy
https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
https://www.mandiant.com/resources/blog/chinese-espionage-tactics
https://www.cisa.gov/news-events/analysis-reports/ar23-209b

sedexp

The tag is: misp-galaxy:malpedia="sedexp"

sedexp is also known as:

Table 2576. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sedexp
https://www.aon.com/en/insights/cyber-labs/unveiling-sedexp

ShellBind

The tag is: misp-galaxy:malpedia="ShellBind"

ShellBind is also known as:

Table 2577. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind
http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry

Shishiga

The tag is: misp-galaxy:malpedia="Shishiga"

Shishiga is also known as:

Table 2578. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga
https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/

SideWalk (ELF)

The tag is: misp-galaxy:malpedia="SideWalk (ELF)"

SideWalk (ELF) is also known as:

Table 2579. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sidewalk
https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/
https://www.mandiant.com/resources/blog/chinese-espionage-tactics
https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401

Silex

The tag is: misp-galaxy:malpedia="Silex"

Silex is also known as:

silexbot

Table 2580. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.silex
https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/

SimpleTea (ELF)

SimpleTea for Linux is an HTTP(S) RAT.

It was discovered in Q1 2023 as an instance of the Lazarus group’s Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.

It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.

It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.

SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.

The tag is: misp-galaxy:malpedia="SimpleTea (ELF)"

SimpleTea (ELF) is also known as:

PondRAT
SimplexTea

Table 2581. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.simpletea
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack
https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf

SLAPSTICK

According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

The tag is: misp-galaxy:malpedia="SLAPSTICK"

SLAPSTICK is also known as:

Table 2582. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick
https://www.mandiant.com/resources/unc2891-overview
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html

SnappyTCP

According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.

The tag is: misp-galaxy:malpedia="SnappyTCP"

SnappyTCP is also known as:

Table 2583. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.snappy_tcp
https://www.huntandhackett.com/blog/turkish-espionage-campaigns
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html
https://blog.strikeready.com/blog/pivoting-through-a-sea-of-indicators-to-spot-turtles/

SoWaT

This is an implant used by APT31 on home routers to utilize them as ORBs.

The tag is: misp-galaxy:malpedia="SoWaT"

SoWaT is also known as:

Table 2584. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sowat
https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003
https://twitter.com/billyleonard/status/1417910729005490177
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/
https://twitter.com/bkMSFT/status/1417823714922610689
https://imp0rtp3.wordpress.com/2021/11/25/sowat/

Spamtorte

The tag is: misp-galaxy:malpedia="Spamtorte"

Spamtorte is also known as:

Table 2585. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte
https://cis.verint.com/2016/11/08/spamtorte-version-2/

SpeakUp

The tag is: misp-galaxy:malpedia="SpeakUp"

SpeakUp is also known as:

Table 2586. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup
https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Specter

The tag is: misp-galaxy:malpedia="Specter"

Specter is also known as:

Table 2587. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter
https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/
https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/

SpectralBlur (ELF)

The tag is: misp-galaxy:malpedia="SpectralBlur (ELF)"

SpectralBlur (ELF) is also known as:

Table 2588. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spectral_blur
https://twitter.com/XJunior/status/1743193763000828066

Speculoos

The tag is: misp-galaxy:malpedia="Speculoos"

Speculoos is also known as:

Table 2589. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

SprySOCKS

The tag is: misp-galaxy:malpedia="SprySOCKS"

SprySOCKS is also known as:

Table 2590. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html

SSHDoor

The tag is: misp-galaxy:malpedia="SSHDoor"

SSHDoor is also known as:

Table 2591. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor
https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/
https://www.trendmicro.com/en_in/research/24/e/router-roulette.html
http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html

Stantinko

The tag is: misp-galaxy:malpedia="Stantinko"

Stantinko is also known as:

Table 2592. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/
https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/
https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/
https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

STEELCORGI

According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.

The tag is: misp-galaxy:malpedia="STEELCORGI"

STEELCORGI is also known as:

Table 2593. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi
https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/
https://www.mandiant.com/resources/unc2891-overview
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

Sunless

The tag is: misp-galaxy:malpedia="Sunless"

Sunless is also known as:

Table 2594. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless
https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/

sustes miner

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.

The tag is: misp-galaxy:malpedia="sustes miner"

sustes miner is also known as:

Table 2595. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes
https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/

Suterusu

The tag is: misp-galaxy:malpedia="Suterusu"

Suterusu is also known as:

HCRootkit

Table 2596. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu
https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/

Sword2033

The tag is: misp-galaxy:malpedia="Sword2033"

Sword2033 is also known as:

Table 2597. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sword2033
https://unit42.paloaltonetworks.com/alloy-taurus/
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/

Symbiote

A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.

The tag is: misp-galaxy:malpedia="Symbiote"

Symbiote is also known as:

Table 2598. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote
https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat
https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/
https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote
https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/

SysJoker (ELF)

The tag is: misp-galaxy:malpedia="SysJoker (ELF)"

SysJoker (ELF) is also known as:

Table 2599. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysjoker
https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html
https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

Sysrv-hello (ELF)

Cryptojacking botnet

The tag is: misp-galaxy:malpedia="Sysrv-hello (ELF)"

Sysrv-hello (ELF) is also known as:

Sysrv

Table 2600. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysrvhello
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.lacework.com/sysrv-hello-expands-infrastructure/
https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/
https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet
https://dfir.ch/posts/sysrv/

TeamTNT

Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.

The tag is: misp-galaxy:malpedia="TeamTNT"

TeamTNT is also known as:

Table 2601. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
https://www.aquasec.com/blog/fileless-malware-container-security/
https://unit42.paloaltonetworks.com/atoms/adept-libra/
https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment
https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf
https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked
https://unit42.paloaltonetworks.com/atoms/thieflibra/
https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
https://www.aquasec.com/blog/teamtnt-reemerged-with-new-aggressive-cloud-campaign/
https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/
https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/
https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera
https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool
https://www.aquasec.com/blog/container-attacks-on-redis-servers/
https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html
https://tolisec.com/active-crypto-mining-operation-by-teamtnt/
https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools
https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/
https://www.aquasec.com/blog/container-security-tnt-container-attack/
https://sysdig.com/blog/teamtnt-aws-credentials/

TheMoon

The tag is: misp-galaxy:malpedia="TheMoon"

TheMoon is also known as:

Table 2602. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon
https://blog.lumen.com/a-new-phase-of-themoon/
https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers
https://blog.lumen.com/the-darkside-of-themoon
https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902

TNTbotinger

The tag is: misp-galaxy:malpedia="TNTbotinger"

TNTbotinger is also known as:

Table 2603. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger
https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html
https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/

Torii

The tag is: misp-galaxy:malpedia="Torii"

Torii is also known as:

Table 2604. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii
https://blog.avast.com/new-torii-botnet-threat-research

TripleCross

According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.

The tag is: misp-galaxy:malpedia="TripleCross"

TripleCross is also known as:

Table 2605. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.triplecross
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/
https://github.com/h3xduck/TripleCross

Trump Bot

The tag is: misp-galaxy:malpedia="Trump Bot"

Trump Bot is also known as:

Table 2606. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot
http://paper.seebug.org/345/

TSCookie

The tag is: misp-galaxy:malpedia="TSCookie"

TSCookie is also known as:

Table 2607. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf
https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf
https://twitter.com/ESETresearch/status/1382054011264700416
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf
https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://jp.security.ntt/resources/EN-BlackTech_2021.pdf

tsh

The tag is: misp-galaxy:malpedia="tsh"

tsh is also known as:

Table 2608. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh
https://github.com/creaktive/tsh

Tsunami (ELF)

The tag is: misp-galaxy:malpedia="Tsunami (ELF)"

Tsunami (ELF) is also known as:

Amnesia
Muhstik
Radiation

Table 2609. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami
https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers
https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/
https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt
http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/
https://sysdig.com/blog/muhstik-malware-botnet-analysis/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks
https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server
https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039
https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/
https://blog.aquasec.com/fileless-malware-container-security
https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134
https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/
https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/
https://asec.ahnlab.com/en/54647/
http://get.cyberx-labs.com/radiation-report
https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/
https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/
https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/
https://www.aquasec.com/blog/container-security-tnt-container-attack/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

Turla RAT

The tag is: misp-galaxy:malpedia="Turla RAT"

Turla RAT is also known as:

Table 2610. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat
https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html
https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html

Umbreon

The tag is: misp-galaxy:malpedia="Umbreon"

Umbreon is also known as:

Espeon

Table 2611. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon
http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/
http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html

Unidentified Linux 001

According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

The tag is: misp-galaxy:malpedia="Unidentified Linux 001"

Unidentified Linux 001 is also known as:

Table 2612. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001
https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

Unidentified ELF 004

Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool ("unifi-video") related to Ubiquiti UniFi surveillance cameras.

The tag is: misp-galaxy:malpedia="Unidentified ELF 004"

Unidentified ELF 004 is also known as:

Table 2613. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_004
https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/

Unidentified 005 (Sidecopy)

The tag is: misp-galaxy:malpedia="Unidentified 005 (Sidecopy)"

Unidentified 005 (Sidecopy) is also known as:

Table 2614. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_005
https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/
https://ti.qianxin.com/blog/articles/SideCopy’s-Golang-based-Linux-tool/

Unidentified ELF 006 (Tox Backdoor)

Enables remote execution of scripts on a host, communicates via Tox.

The tag is: misp-galaxy:malpedia="Unidentified ELF 006 (Tox Backdoor)"

Unidentified ELF 006 (Tox Backdoor) is also known as:

Table 2615. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_006
https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers

Hive (Vault 8)

The tag is: misp-galaxy:malpedia="Hive (Vault 8)"

Hive (Vault 8) is also known as:

Table 2616. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vault8_hive
https://github.com/infoskirmish/hive
https://wikileaks.org/vault8/

Vermilion Strike (ELF)

The tag is: misp-galaxy:malpedia="Vermilion Strike (ELF)"

Vermilion Strike (ELF) is also known as:

Table 2617. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/
https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html

VPNFilter

The tag is: misp-galaxy:malpedia="VPNFilter"

VPNFilter is also known as:

Table 2618. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1
https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html
https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html
https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf
https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities
https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf
https://www.cisa.gov/uscert/ncas/alerts/aa22-054a
https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter
https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html
https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks
https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf
https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html
https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected
https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html
https://www.cisa.gov/uscert/ncas/alerts/aa22-110a
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf

WatchBog

According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

The tag is: misp-galaxy:malpedia="WatchBog"

WatchBog is also known as:

Table 2619. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog
https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/

WellMail

The tag is: misp-galaxy:malpedia="WellMail"

WellMail is also known as:

Table 2620. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://securelist.com/apt-trends-report-q3-2020/99204/

elf.wellmess

The tag is: misp-galaxy:malpedia="elf.wellmess"

elf.wellmess is also known as:

Table 2621. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html
https://us-cert.cisa.gov/ncas/alerts/aa21-116a
https://securelist.com/apt-trends-report-q2-2020/97937/
https://community.riskiq.com/article/541a465f/description
https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf
https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

WHIRLPOOL

The tag is: misp-galaxy:malpedia="WHIRLPOOL"

WHIRLPOOL is also known as:

Table 2622. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.whirlpool
https://services.google.com/fh/files/misc/01-chinese-espionage-article-m-trends-2024.pdf
https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0

WhiteRabbit

The tag is: misp-galaxy:malpedia="WhiteRabbit"

WhiteRabbit is also known as:

Table 2623. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.whiterabbit
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET
https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/

Winnti (ELF)

The tag is: misp-galaxy:malpedia="Winnti (ELF)"

Winnti (ELF) is also known as:

Table 2624. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti
https://asec.ahnlab.com/en/55785/
https://attack.mitre.org/groups/G0096
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
https://blog.exatrack.com/melofee/
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
https://www.secureworks.com/research/threat-profiles/bronze-atlas

Wirenet (ELF)

The tag is: misp-galaxy:malpedia="Wirenet (ELF)"

Wirenet (ELF) is also known as:

Table 2625. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet
https://news.drweb.com/show/?i=2679&lng=en&c=14
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html

X-Agent (ELF)

The tag is: misp-galaxy:malpedia="X-Agent (ELF)"

X-Agent (ELF) is also known as:

chopstick
fysbis
splm

Table 2626. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent
https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/
https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

Xanthe

The tag is: misp-galaxy:malpedia="Xanthe"

Xanthe is also known as:

Table 2627. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe
https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html
https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

Xaynnalc

The tag is: misp-galaxy:malpedia="Xaynnalc"

Xaynnalc is also known as:

Table 2628. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc
https://twitter.com/michalmalik/status/846368624147353601

Xbash

The tag is: misp-galaxy:malpedia="Xbash"

Xbash is also known as:

Table 2629. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
https://unit42.paloaltonetworks.com/atoms/agedlibra/

xdr33

According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.

The tag is: misp-galaxy:malpedia="xdr33"

xdr33 is also known as:

Table 2630. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xdr33
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/

XOR DDoS

Linux DDoS C&C Malware

The tag is: misp-galaxy:malpedia="XOR DDoS"

XOR DDoS is also known as:

XORDDOS

Table 2631. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos
https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf
https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf
https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/
https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/
https://en.wikipedia.org/wiki/Xor_DDoS
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/
https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/
https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/

Zergeca

Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of "UPX!". It is being distributed via weak telnet passwords and known vulnerabilities.

The tag is: misp-galaxy:malpedia="Zergeca"

Zergeca is also known as:

Table 2632. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zergeca
https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet

ZeroBot

ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.

The tag is: misp-galaxy:malpedia="ZeroBot"

ZeroBot is also known as:

ZeroStresser

Table 2633. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zerobot
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/

ZHtrap

The tag is: misp-galaxy:malpedia="ZHtrap"

ZHtrap is also known as:

Table 2634. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zhtrap
https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/

Zollard

The tag is: misp-galaxy:malpedia="Zollard"

Zollard is also known as:

darlloz

Table 2635. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard
https://blogs.cisco.com/security/the-internet-of-everything-including-malware

ZuoRAT

According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).

The tag is: misp-galaxy:malpedia="ZuoRAT"

ZuoRAT is also known as:

Table 2636. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zuo_rat
https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/
https://www.mandiant.com/resources/blog/chinese-espionage-tactics

AutoCAD Downloader

Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.

The tag is: misp-galaxy:malpedia="AutoCAD Downloader"

AutoCAD Downloader is also known as:

Acad.Bursted
Duxfas

Table 2637. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad
https://github.com/Hopfengetraenk/Fas-Disasm
https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft

COOKIESNATCH

According to Google, this is a cookie stealer

The tag is: misp-galaxy:malpedia="COOKIESNATCH"

COOKIESNATCH is also known as:

Table 2638. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.cookiesnatch
https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

DualToy (iOS)

The tag is: misp-galaxy:malpedia="DualToy (iOS)"

DualToy (iOS) is also known as:

Table 2639. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

GuiInject

The tag is: misp-galaxy:malpedia="GuiInject"

GuiInject is also known as:

Table 2640. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject
https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/

lightSpy

The tag is: misp-galaxy:malpedia="lightSpy"

lightSpy is also known as:

Table 2641. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy
https://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior
https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf
https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/
https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/

Phenakite

The tag is: misp-galaxy:malpedia="Phenakite"

Phenakite is also known as:

Dakkatoni

Table 2642. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite
https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html

PoisonCarp

The tag is: misp-galaxy:malpedia="PoisonCarp"

PoisonCarp is also known as:

INSOMNIA

Table 2643. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/

Postlo

The tag is: misp-galaxy:malpedia="Postlo"

Postlo is also known as:

Table 2644. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.postlo
https://twitter.com/opa334dev/status/1374754519268098051

TriangleDB

The tag is: misp-galaxy:malpedia="TriangleDB"

TriangleDB is also known as:

Table 2645. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.triangledb
https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers
https://securelist.com/operation-triangulation-catching-wild-triangle/110916/
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
https://securelist.com/triangulation-validators-modules/110847/
https://securelist.com/triangledb-triangulation-implant/110050/

VALIDVICTOR

According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj). The server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.

The tag is: misp-galaxy:malpedia="VALIDVICTOR"

VALIDVICTOR is also known as:

Table 2646. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.validvictor
https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

The tag is: misp-galaxy:malpedia="WireLurker (iOS)"

WireLurker (iOS) is also known as:

Table 2647. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

X-Agent (iOS)

The tag is: misp-galaxy:malpedia="X-Agent (iOS)"

X-Agent (iOS) is also known as:

Table 2648. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.xagent
https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/
https://www.secureworks.com/research/threat-profiles/iron-twilight

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

The tag is: misp-galaxy:malpedia="AdWind"

AdWind is also known as:

AlienSpy
Frutas
JBifrost
JSocket
Sockrat
UNRECOM

Table 2649. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind
https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/
https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html
https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html
https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html
https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/
https://blogs.seqrite.com/evolution-of-jrat-java-malware/
https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885
https://research.checkpoint.com/malware-against-the-c-monoculture/
https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
http://malware-traffic-analysis.net/2017/07/04/index.html
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://citizenlab.ca/2015/12/packrat-report/

Adzok

The tag is: misp-galaxy:malpedia="Adzok"

Adzok is also known as:

Table 2650. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok
https://citizenlab.ca/2015/12/packrat-report/

Banload

F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.

The tag is: misp-galaxy:malpedia="Banload"

Banload is also known as:

Table 2651. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload
https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf
https://colin.guru/index.php?title=Advanced_Banload_Analysis
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

Blue Banana RAT

The tag is: misp-galaxy:malpedia="Blue Banana RAT"

Blue Banana RAT is also known as:

Table 2652. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana
https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community

CrossRAT

The tag is: misp-galaxy:malpedia="CrossRAT"

CrossRAT is also known as:

Trupto

Table 2653. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat
https://objective-see.com/blog/blog_0x28.html
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

DynamicRAT

DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.

The tag is: misp-galaxy:malpedia="DynamicRAT"

DynamicRAT is also known as:

DYNARAT

Table 2654. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.dynamicrat
https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694

EpicSplit RAT

EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.

The tag is: misp-galaxy:malpedia="EpicSplit RAT"

EpicSplit RAT is also known as:

Table 2655. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit
https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat

FEimea RAT

The tag is: misp-galaxy:malpedia="FEimea RAT"

FEimea RAT is also known as:

Table 2656. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

IceRat

According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.

The tag is: misp-galaxy:malpedia="IceRat"

IceRat is also known as:

Table 2657. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp

JavaDispCash

JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM’s local application and the goal is to remotely control its operation. The malware’s primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.

The tag is: misp-galaxy:malpedia="JavaDispCash"

JavaDispCash is also known as:

Table 2658. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash
https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore
https://twitter.com/r3c0nst/status/1111254169623674882

JavaLocker

The tag is: misp-galaxy:malpedia="JavaLocker"

JavaLocker is also known as:

JavaEncrypt Ransomware

Table 2659. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker
https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html
https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

The tag is: misp-galaxy:malpedia="jRAT"

jRAT is also known as:

Jacksbot

Table 2660. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat
https://www.eff.org/files/2018/01/29/operation-manul.pdf
https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered
https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/
https://research.checkpoint.com/malware-against-the-c-monoculture/
https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/

jSpy

The tag is: misp-galaxy:malpedia="jSpy"

jSpy is also known as:

Table 2661. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy
https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/

Mineping

DDoS for Minecraft servers.

The tag is: misp-galaxy:malpedia="Mineping"

Mineping is also known as:

Table 2662. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.mineping
https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/
https://github.com/foxkera/mineping

Octopus Scanner

The tag is: misp-galaxy:malpedia="Octopus Scanner"

Octopus Scanner is also known as:

Table 2663. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
http://blog.nsfocus.net/github-ocs-0605/

Pronsis Loader

According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.

The tag is: misp-galaxy:malpedia="Pronsis Loader"

Pronsis Loader is also known as:

Table 2664. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.pronsis_loader
https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives?hl=en
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pronsis-loader-a-jphp-driven-malware-diverging-from-d3fck-loader/

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

The tag is: misp-galaxy:malpedia="Qarallax RAT"

Qarallax RAT is also known as:

Table 2665. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/

Qealler

The tag is: misp-galaxy:malpedia="Qealler"

Qealler is also known as:

Pyrogenic Infostealer

Table 2666. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler
https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf
https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/
https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/
https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer
https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/
https://www.herbiez.com/?p=1352
https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

The tag is: misp-galaxy:malpedia="QRat"

QRat is also known as:

Quaverse RAT

Table 2667. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat
https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—Remote-Access-as-a-Service/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/
https://www.digitrustgroup.com/java-rat-qrat/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

The tag is: misp-galaxy:malpedia="Ratty"

Ratty is also known as:

Table 2668. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty
https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/
https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/

Sorillus RAT

Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool’s creator and distributor, a YouTube user known as "Tapt", asserts that the tool is able to collect the following information from its target: - HardwareID - Username - Country - Language - Webcam - Headless - Operating system - Client Version

The tag is: misp-galaxy:malpedia="Sorillus RAT"

Sorillus RAT is also known as:

Table 2669. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus
https://abnormalsecurity.com/blog/tax-customers-sorillus-rat

STRRAT

STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.

The tag is: misp-galaxy:malpedia="STRRAT"

STRRAT is also known as:

Table 2670. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat
https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf
https://forensicitguy.github.io/strrat-attached-to-msi/
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain
https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/
https://twitter.com/MsftSecIntel/status/1395138347601854465
https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/
https://www.jaiminton.com/reverse-engineering/strrat
https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1
https://isc.sans.edu/diary/rss/27798
https://www.gdatasoftware.com/blog/strrat-crimson
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://www.jaiminton.com/reverse-engineering/strrat#
https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon
https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape
https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign

SupremeBot

The tag is: misp-galaxy:malpedia="SupremeBot"

SupremeBot is also known as:

BlazeBot

Table 2671. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

Verblecon

This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.

The tag is: misp-galaxy:malpedia="Verblecon"

Verblecon is also known as:

Table 2672. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.verblecon
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

VersaMem

According to Lumen, a web shell used by Volt Typhoon.

The tag is: misp-galaxy:malpedia="VersaMem"

VersaMem is also known as:

Table 2673. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.versamem
https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/

AIRBREAK

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.

The tag is: misp-galaxy:malpedia="AIRBREAK"

AIRBREAK is also known as:

Table 2674. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak
https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html
http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html
https://www.secureworks.com/research/threat-profiles/bronze-mohawk

Bateleur

The tag is: misp-galaxy:malpedia="Bateleur"

Bateleur is also known as:

Table 2675. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

BeaverTail

BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development.

The tag is: misp-galaxy:malpedia="BeaverTail"

BeaverTail is also known as:

Table 2676. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail
https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/
https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html
https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers
https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/
https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west
https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/
https://www.group-ib.com/blog/apt-lazarus-python-scripts/
https://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot

BELLHOP

BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:
Creating a Run key in the Registry
Creating a RunOnce key in the Registry
Creating a persistent named scheduled task
BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

The tag is: misp-galaxy:malpedia="BELLHOP"

BELLHOP is also known as:

Table 2677. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

CACTUSTORCH

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

The tag is: misp-galaxy:malpedia="CACTUSTORCH"

CACTUSTORCH is also known as:

Table 2678. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch
https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/
https://www.codercto.com/a/46729.html
https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/
https://www.macnica.net/file/mpression_automobile.pdf
https://github.com/mdsecactivebreach/CACTUSTORCH

ChromeBack

GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.

The tag is: misp-galaxy:malpedia="ChromeBack"

ChromeBack is also known as:

Table 2679. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback
https://unit42.paloaltonetworks.com/chromeloader-malware/
https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/

ClearFake

ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.

The tag is: misp-galaxy:malpedia="ClearFake"

ClearFake is also known as:

Table 2680. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.clearfake
https://www.kroll.com/en/insights/publications/cyber/clearfake-update-tricks-victim-executing-malicious-powershell-code
https://rmceoin.github.io/malware-analysis/clearfake/
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/

CryptoNight

WebAssembly-based crpyto miner.

The tag is: misp-galaxy:malpedia="CryptoNight"

CryptoNight is also known as:

Table 2681. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight
https://twitter.com/JohnLaTwC/status/983011262731714565
https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec

CukieGrab

The tag is: misp-galaxy:malpedia="CukieGrab"

CukieGrab is also known as:

Roblox Trade Assist

Table 2682. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx
http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/

DarkWatchman

Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.

The tag is: misp-galaxy:malpedia="DarkWatchman"

DarkWatchman is also known as:

Table 2683. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman
https://securityintelligence.com/x-force/new-hive0117-phishing-campaign-imitates-conscription-summons-deliver-darkwatchman-malware/
https://www.prevailion.com/darkwatchman-new-fileness-techniques/
https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
https://cyble.com/blog/sophisticated-darkwatchman-rat-spreads-through-phishing-sites/

DNSRat

The tag is: misp-galaxy:malpedia="DNSRat"

DNSRat is also known as:

DNSbot

Table 2684. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat
https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

doenerium

Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium

The tag is: misp-galaxy:malpedia="doenerium"

doenerium is also known as:

Table 2685. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.doenerium
https://twitter.com/0xToxin/status/1572612089901993985
https://perception-point.io/doenerium-malware/

Enrume

The tag is: misp-galaxy:malpedia="Enrume"

Enrume is also known as:

Ransom32

Table 2686. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume
https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/

EVILNUM (Javascript)

According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.

The tag is: misp-galaxy:malpedia="EVILNUM (Javascript)"

EVILNUM (Javascript) is also known as:

Table 2687. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum
http://blog.nsfocus.net/agentvxapt-evilnum/
https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw
https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets
https://github.com/eset/malware-ioc/tree/master/evilnum
https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html
https://securelist.com/deathstalker-mercenary-triumvirate/98177/
http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html
https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/
https://securelist.com/apt-trends-report-q3-2020/99204/

FakeUpdateRU

FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.

The tag is: misp-galaxy:malpedia="FakeUpdateRU"

FakeUpdateRU is also known as:

Table 2688. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdateru
https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html

FAKEUPDATES

FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.

FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.

The tag is: misp-galaxy:malpedia="FAKEUPDATES"

FAKEUPDATES is also known as:

FakeUpdate
SocGholish

Table 2689. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates
https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html
https://experience.mandiant.com/trending-evil/p/1
https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt
https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/
https://malasada.tech/the-landupdate808-fake-update-variant/
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/
https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
https://x.com/GenThreatLabs/status/1840762181668741130
https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends
https://www.menlosecurity.com/blog/increase-in-attack-socgholish
https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/
https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems
https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html
https://killingthebear.jorgetesta.tech/actors/evil-corp
https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf
https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf
https://twitter.com/MsftSecIntel/status/1522690116979855360
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond
https://www.lac.co.jp/lacwatch/report/20220407_002923.html
https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/
https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/
https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee

GootLoader

According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.

The tag is: misp-galaxy:malpedia="GootLoader"

GootLoader is also known as:

SLOWPOUR

Table 2690. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader
https://malasada.tech/gootloader-isnt-broken/
https://gootloader.wordpress.com/2024/02/14/my-game-retired-latest-changes-to-gootloader/
https://www.reliaquest.com/blog/gootloader-infection-credential-access/
https://intel471.com/blog/threat-hunting-case-study-tracking-down-gootloader
https://x.com/MsftSecIntel/status/1836456406276342215
https://experience.mandiant.com/trending-evil/p/1
https://dinohacks.blogspot.com/2022/06/loading-gootloader.html
https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/
https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader
https://github.com/struppigel/hedgehog-tools/tree/main/gootloader
https://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain
https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/
https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/
https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html
https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf
https://gootloader.wordpress.com/2024/06/24/gootloaders-new-hideout-revealed-the-malware-hunt-in-wordpress-shadows/
https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
https://redcanary.com/blog/gootloader
https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf
https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/
https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/
https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/
https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/
https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/
https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/
https://thedfirreport.com/2024/02/26/seo-poisoning-to-domain-control-the-gootloader-saga-continues/
https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Detecting-GOOTLOADER-with-Google-Security/ba-p/823766
https://community.riskiq.com/article/f5d5ed38
https://www.esentire.com/web-native-pages/gootloader-unloaded

grelos

grelos is a skimmer used for magecart-style attacks.

The tag is: misp-galaxy:malpedia="grelos"

grelos is also known as:

Table 2691. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos
https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745
https://www.riskiq.com/blog/labs/magecart-medialand/
https://community.riskiq.com/article/8c4b4a7a

Griffon

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

The tag is: misp-galaxy:malpedia="Griffon"

Griffon is also known as:

Harpy

Table 2692. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.mandiant.com/resources/evolution-of-fin7
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://twitter.com/ItsReallyNick/status/1059898708286939136

inter

The tag is: misp-galaxy:malpedia="inter"

inter is also known as:

Table 2693. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.inter
https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html

Jeniva

The tag is: misp-galaxy:malpedia="Jeniva"

Jeniva is also known as:

Table 2694. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.jeniva
https://imp0rtp3.wordpress.com/2021/08/12/tetris/

Jetriz

The tag is: misp-galaxy:malpedia="Jetriz"

Jetriz is also known as:

Table 2695. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.jetriz
https://imp0rtp3.wordpress.com/2021/08/12/tetris/

jspRAT

The tag is: misp-galaxy:malpedia="jspRAT"

jspRAT is also known as:

Table 2696. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat
https://www.mandiant.com/resources/fin13-cybercriminal-mexico
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

KopiLuwak

The tag is: misp-galaxy:malpedia="KopiLuwak"

KopiLuwak is also known as:

Table 2697. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
https://www.mandiant.com/resources/blog/turla-galaxy-opportunity
https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf

LNKR

The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.

The tag is: misp-galaxy:malpedia="LNKR"

LNKR is also known as:

Table 2698. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr
https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/
https://www.riskiq.com/blog/labs/lnkr-browser-extension/
https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md
https://github.com/Zenexer/lnkr

magecart

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it’s a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.

The tag is: misp-galaxy:malpedia="magecart"

magecart is also known as:

Table 2699. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart
https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html
https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218
https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season
https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.riskiq.com/blog/labs/magecart-group-12-olympics/
https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/
https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/
https://community.riskiq.com/article/5bea32aa
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html
https://www.reflectiz.com/the-gocgle-web-skimming-campaign/
https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/
https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter
https://www.riskiq.com/blog/labs/magecart-nutribullet/
https://community.riskiq.com/article/30f22a00
https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/
https://sansec.io/research/magecart-corona-lockdown
https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
https://sansec.io/research/magento-2-persistent-parasite
https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145
https://www.goggleheadedhacker.com/blog/post/14
https://geminiadvisory.io/magecart-google-tag-manager/
https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/
https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/
https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/
https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/
https://twitter.com/AffableKraut/status/1415425132080816133?s=20
https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/
https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/
https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/
https://community.riskiq.com/article/743ea75b/description
https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/
https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/
https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/
https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf
https://community.riskiq.com/article/fda1f967
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/
https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/
https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/
https://community.riskiq.com/article/017cf2e6
https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/
https://twitter.com/MBThreatIntel/status/1416101496022724609
https://community.riskiq.com/article/2efc2782
https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/
https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/
https://www.riskiq.com/blog/labs/magecart-medialand/
https://community.riskiq.com/article/14924d61
https://sansec.io/research/north-korea-magecart
https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html
https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/
https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html
https://twitter.com/AffableKraut/status/1385030485676544001
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf

megaMedusa

MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.

The tag is: misp-galaxy:malpedia="megaMedusa"

megaMedusa is also known as:

Table 2700. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.mega_medusa
https://www.radware.com/blog/security/2024/08/megamedusa-rippersec-public-web-ddos-attack-tool/

MiniJS

MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.

The tag is: misp-galaxy:malpedia="MiniJS"

MiniJS is also known as:

Table 2701. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.minijs
https://www.virustotal.com/gui/file/0ce9aadf6a3ffd85d6189590ece148b2f9d69e0ce1c2b8eb61361eb8d0f98571/details

MintsLoader

According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX" (with XX being numbers).

MintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.

The tag is: misp-galaxy:malpedia="MintsLoader"

MintsLoader is also known as:

Table 2702. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.mints_loader
https://nikhilh-20.github.io/blog/deob_js_ast/
https://x.com/CERTCyberdef/status/1849392561024065779
https://github.com/cert-orangecyberdefense/mintsloader

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

The tag is: misp-galaxy:malpedia="More_eggs"

More_eggs is also known as:

SKID
SpicyOmelette

Table 2703. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs
https://github.com/eset/malware-ioc/tree/master/evilnum
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers
https://asert.arbornetworks.com/double-the-infection-double-the-fun/
https://www.esentire.com/web-native-pages/unmasking-venom-spider
https://twitter.com/Arkbird_SOLG/status/1301536930069278727
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
https://thehackernews.com/2024/06/moreeggs-malware-disguised-as-resumes.html
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish
https://blog.morphisec.com/cobalt-gang-2.0
https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware
https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw
https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing
https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/
https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1
https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire
https://attack.mitre.org/software/S0284/
https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/
https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.

The tag is: misp-galaxy:malpedia="NanHaiShu"

NanHaiShu is also known as:

Table 2704. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu
https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf
https://attack.mitre.org/software/S0228/

NodeRAT

The tag is: misp-galaxy:malpedia="NodeRAT"

NodeRAT is also known as:

Table 2705. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat
https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html
https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf

OFFODE

According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.

The tag is: misp-galaxy:malpedia="OFFODE"

OFFODE is also known as:

Table 2706. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.offode
https://github.com/Jhangju/offode

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

The tag is: misp-galaxy:malpedia="ostap"

ostap is also known as:

Table 2707. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap
https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/
https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://www.intrinsec.com/deobfuscating-hunting-ostap/
https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/
https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/

ParaSiteSnatcher

The tag is: misp-galaxy:malpedia="ParaSiteSnatcher"

ParaSiteSnatcher is also known as:

Table 2708. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.parasitesnatcher
https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html

Parrot TDS

This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.

The tag is: misp-galaxy:malpedia="Parrot TDS"

Parrot TDS is also known as:

Table 2709. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.parrot_tds
https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

PeaceNotWar

PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.

The tag is: misp-galaxy:malpedia="PeaceNotWar"

PeaceNotWar is also known as:

Table 2710. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar
https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c
https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers
https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/

PindOS

The tag is: misp-galaxy:malpedia="PindOS"

PindOS is also known as:

Table 2711. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.pindos
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid

Powmet

The tag is: misp-galaxy:malpedia="Powmet"

Powmet is also known as:

Table 2712. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet
http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/

QNodeService

According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.

The tag is: misp-galaxy:malpedia="QNodeService"

QNodeService is also known as:

Table 2713. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice
https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/
https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf

QUICKCAFE

QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

The tag is: misp-galaxy:malpedia="QUICKCAFE"

QUICKCAFE is also known as:

Table 2714. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

scanbox

The tag is: misp-galaxy:malpedia="scanbox"

scanbox is also known as:

Table 2715. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox
https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea
https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/
http://resources.infosecinstitute.com/scanbox-framework/
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

SQLRat

SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.

The tag is: misp-galaxy:malpedia="SQLRat"

SQLRat is also known as:

Table 2716. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

Starfighter (Javascript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

The tag is: misp-galaxy:malpedia="Starfighter (Javascript)"

Starfighter (Javascript) is also known as:

Table 2717. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter
https://github.com/Cn33liz/StarFighters

Swid

The tag is: misp-galaxy:malpedia="Swid"

Swid is also known as:

Table 2718. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.swid
https://imp0rtp3.wordpress.com/2021/08/12/tetris/

HTML5 Encoding

The tag is: misp-galaxy:malpedia="HTML5 Encoding"

HTML5 Encoding is also known as:

Table 2719. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

The tag is: misp-galaxy:malpedia="Maintools.js"

Maintools.js is also known as:

Table 2720. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools
https://twitter.com/JohnLaTwC/status/915590893155098629

Unidentified JS 001 (APT32 Profiler)

The tag is: misp-galaxy:malpedia="Unidentified JS 001 (APT32 Profiler)"

Unidentified JS 001 (APT32 Profiler) is also known as:

Table 2721. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001
https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f
https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef

Unidentified JS 003 (Emotet Downloader)

According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.

The tag is: misp-galaxy:malpedia="Unidentified JS 003 (Emotet Downloader)"

Unidentified JS 003 (Emotet Downloader) is also known as:

Table 2722. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003
https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/

Unidentified JS 004

A simple loader written in JavaScript found by Marco Ramilli.

The tag is: misp-galaxy:malpedia="Unidentified JS 004"

Unidentified JS 004 is also known as:

Table 2723. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004
https://marcoramilli.com/2020/11/27/threat-actor-unkown/

Unidentified JS 005 (Stealer)

The tag is: misp-galaxy:malpedia="Unidentified JS 005 (Stealer)"

Unidentified JS 005 (Stealer) is also known as:

Table 2724. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005
https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html

Unidentified JS 006 (Winter Wyvern)

A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.

The tag is: misp-galaxy:malpedia="Unidentified JS 006 (Winter Wyvern)"

Unidentified JS 006 (Winter Wyvern) is also known as:

Table 2725. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_006
https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf
https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/

Unidentified JS 002

The tag is: misp-galaxy:malpedia="Unidentified JS 002"

Unidentified JS 002 is also known as:

Table 2726. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002

Valak

According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).

Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).

The tag is: misp-galaxy:malpedia="Valak"

Valak is also known as:

Valek

Table 2727. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.valak
https://security-soup.net/analysis-of-valak-maldoc/
https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/
https://unit42.paloaltonetworks.com/valak-evolution/
https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/
https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html
https://threatresearch.ext.hp.com/detecting-ta551-domains/
https://blog.talosintelligence.com/2020/07/valak-emerges.html
https://unit42.paloaltonetworks.com/atoms/monsterlibra/
https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7
https://twitter.com/malware_traffic/status/1207824548021886977
https://www.cybereason.com/blog/valak-more-than-meets-the-eye

witchcoven

The tag is: misp-galaxy:malpedia="witchcoven"

witchcoven is also known as:

Table 2728. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

Godzilla Webshell

The tag is: misp-galaxy:malpedia="Godzilla Webshell"

Godzilla Webshell is also known as:

Table 2729. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell
https://blog.gigamon.com/2022/09/28/investigating-web-shells/
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat
https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
https://asec.ahnlab.com/en/47455/
https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

3CX Backdoor (OS X)

The tag is: misp-galaxy:malpedia="3CX Backdoor (OS X)"

3CX Backdoor (OS X) is also known as:

Table 2730. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.3cx_backdoor
https://objective-see.org/blog/blog_0x74.html
https://objective-see.org/blog/blog_0x73.html

AMOS

The tag is: misp-galaxy:malpedia="AMOS"

AMOS is also known as:

Atomic macOS Stealer

Table 2731. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos
https://securelist.com/crimeware-report-fakesg-akira-amos/111483/
https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-stealer-rings-in-the-new-year-with-updated-version
https://spycloud.com/blog/reverse-engineering-atomic-macos-stealer/
https://www.malwarebytes.com/blog/threat-intelligence/2023/09/atomic-macos-stealer-delivered-via-malvertising
https://www.bitdefender.com/blog/labs/when-stealers-converge-new-variant-of-atomic-stealer-in-the-wild/
https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/
https://russianpanda.com/2024/01/15/Atomic-Stealer-AMOS/
https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219

AppleJeus (OS X)

According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.

The tag is: misp-galaxy:malpedia="AppleJeus (OS X)"

AppleJeus (OS X) is also known as:

Table 2732. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment
https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g
https://objective-see.com/blog/blog_0x5F.html
https://securelist.com/apt-trends-report-q2-2020/97937/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f
https://www.youtube.com/watch?v=rjA0Vf75cYk
https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
https://securelist.com/operation-applejeus/87553/
https://objective-see.com/blog/blog_0x54.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e
https://www.youtube.com/watch?v=1NkzTKkEM2k
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://securelist.com/operation-applejeus-sequel/95596/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a
https://objective-see.com/blog/blog_0x49.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d
https://vblocalhost.com/uploads/VB2021-Park.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

BANSHEE

The tag is: misp-galaxy:malpedia="BANSHEE"

BANSHEE is also known as:

Table 2733. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.banshee
https://www.elastic.co/security-labs/beyond-the-wail?ultron=esl:_threat_research%2Besl_blog_post&blade=twitter&hulk=social&utm_content=14389248623&linkId=549532028

Bella

The tag is: misp-galaxy:malpedia="Bella"

Bella is also known as:

Table 2734. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella
https://github.com/kai5263499/Bella
https://threatintel.blog/OPBlueRaven-Part2/
https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/

Bundlore

The tag is: misp-galaxy:malpedia="Bundlore"

Bundlore is also known as:

SurfBuyer

Table 2735. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore
https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20
https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c
https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/
https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore—leaves-it-unused.html
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

Careto

The tag is: misp-galaxy:malpedia="Careto"

Careto is also known as:

Appetite
Mask

Table 2736. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

Casso

The tag is: misp-galaxy:malpedia="Casso"

Casso is also known as:

Table 2737. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.casso
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

CDDS

Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.

The tag is: misp-galaxy:malpedia="CDDS"

CDDS is also known as:

Macma

Table 2738. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds
https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abuse-insecure-software-update-mechanisms/
https://objective-see.com/blog/blog_0x69.html
https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/
https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/

Choziosi (OS X)

A loader delivering malicious Chrome and Safari extensions.

The tag is: misp-galaxy:malpedia="Choziosi (OS X)"

Choziosi (OS X) is also known as:

ChromeLoader
Chropex

Table 2739. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi
https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension
https://www.th3protocol.com/2022/Choziosi-Loader
https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/
https://redcanary.com/blog/chromeloader/
https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER

CloudMensis

The tag is: misp-galaxy:malpedia="CloudMensis"

CloudMensis is also known as:

Table 2740. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cloud_mensis
https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/
https://twitter.com/ESETresearch/status/1575103839115804672

CoinThief

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET’s Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version

The tag is: misp-galaxy:malpedia="CoinThief"

CoinThief is also known as:

Table 2741. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief
https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

Coldroot RAT

The tag is: misp-galaxy:malpedia="Coldroot RAT"

Coldroot RAT is also known as:

Table 2742. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat
https://objective-see.com/blog/blog_0x2A.html
https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf

Convuster

The tag is: misp-galaxy:malpedia="Convuster"

Convuster is also known as:

Table 2743. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster
https://securelist.com/convuster-macos-adware-in-rust/101258/

CpuMeaner

The tag is: misp-galaxy:malpedia="CpuMeaner"

CpuMeaner is also known as:

Table 2744. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner
https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/

CreativeUpdater

The tag is: misp-galaxy:malpedia="CreativeUpdater"

CreativeUpdater is also known as:

Table 2745. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater
https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/
https://digitasecurity.com/blog/2018/02/05/creativeupdater/
https://objective-see.com/blog/blog_0x29.html

Crisis

The tag is: misp-galaxy:malpedia="Crisis"

Crisis is also known as:

Table 2746. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis
https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html

Crossrider

The tag is: misp-galaxy:malpedia="Crossrider"

Crossrider is also known as:

Table 2747. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider
https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social

Cthulhu Stealer

The tag is: misp-galaxy:malpedia="Cthulhu Stealer"

Cthulhu Stealer is also known as:

Table 2748. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cthulhu_stealer
https://www.cadosecurity.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos

Dacls (OS X)

According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.

The tag is: misp-galaxy:malpedia="Dacls (OS X)"

Dacls (OS X) is also known as:

Table 2749. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/
https://objective-see.com/blog/blog_0x57.html
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://objective-see.com/blog/blog_0x5F.html
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.sygnia.co/mata-framework
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

DarthMiner

The tag is: misp-galaxy:malpedia="DarthMiner"

DarthMiner is also known as:

Table 2750. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer
https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/

DazzleSpy

The tag is: misp-galaxy:malpedia="DazzleSpy"

DazzleSpy is also known as:

Table 2751. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dazzle_spy
https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/
https://objective-see.com/blog/blog_0x6D.html

Dockster

The tag is: misp-galaxy:malpedia="Dockster"

Dockster is also known as:

Table 2752. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster
http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html
https://www.f-secure.com/weblog/archives/00002466.html

Dummy

The tag is: misp-galaxy:malpedia="Dummy"

Dummy is also known as:

Table 2753. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy
https://objective-see.com/blog/blog_0x32.html

Eleanor

Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

Managing files
Listing processes
Connecting to various database management systems such as MySQL or SQLite
Connecting via bind/reverse shell
Executing shell command
Capturing and browsing images and videos from the victim’s webcam
Sending emails with an attachment

The tag is: misp-galaxy:malpedia="Eleanor"

Eleanor is also known as:

Table 2754. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor
https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/

ElectroRAT

According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.

The tag is: misp-galaxy:malpedia="ElectroRAT"

ElectroRAT is also known as:

Table 2755. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
https://objective-see.com/blog/blog_0x61.html

EvilOSX

The tag is: misp-galaxy:malpedia="EvilOSX"

EvilOSX is also known as:

Table 2756. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx
https://github.com/Marten4n6/EvilOSX
https://twitter.com/JohnLaTwC/status/966139336436498432

EvilQuest

According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

The tag is: misp-galaxy:malpedia="EvilQuest"

EvilQuest is also known as:

ThiefQuest

Table 2757. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest
https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/
https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/
https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://objective-see.com/blog/blog_0x5F.html
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
https://twitter.com/dineshdina04/status/1277668001538433025
https://objective-see.com/blog/blog_0x59.html
https://github.com/gdbinit/evilquest_deobfuscator
https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/

FailyTale

The tag is: misp-galaxy:malpedia="FailyTale"

FailyTale is also known as:

Table 2758. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale
https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/

FinFisher (OS X)

The tag is: misp-galaxy:malpedia="FinFisher (OS X)"

FinFisher (OS X) is also known as:

Table 2759. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher
https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/
https://objective-see.com/blog/blog_0x4F.html
https://objective-see.com/blog/blog_0x5F.html
https://securelist.com/finspy-unseen-findings/104322/
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/

FlashBack

The tag is: misp-galaxy:malpedia="FlashBack"

FlashBack is also known as:

FakeFlash

Table 2760. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback
https://news.drweb.com/show/?c=5&i=2386&lng=en
http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html
https://en.wikipedia.org/wiki/Flashback_(Trojan)
http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html
https://web-assets.esetstatic.com/wls/200x/white-papers/osx_flashback.pdf
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

FruitFly

The tag is: misp-galaxy:malpedia="FruitFly"

FruitFly is also known as:

Quimitchin

Table 2761. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly
https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf
https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/
https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html
https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/

FULLHOUSE

Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.

The tag is: misp-galaxy:malpedia="FULLHOUSE"

FULLHOUSE is also known as:

Table 2762. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.fullhouse
https://www.mandiant.com/resources/blog/north-korea-supply-chain

GIMMICK (OS X)

This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.

The tag is: misp-galaxy:malpedia="GIMMICK (OS X)"

GIMMICK (OS X) is also known as:

Table 2763. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick
https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/
https://cybersecuritynews.com/gimmick-malware-attacks/

Gmera

According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.

Research shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.

The tag is: misp-galaxy:malpedia="Gmera"

Gmera is also known as:

Kassi
StockSteal

Table 2764. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera
https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/
https://objective-see.com/blog/blog_0x53.html

HiddenLotus

According to Malwarebytes, The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.

The tag is: misp-galaxy:malpedia="HiddenLotus"

HiddenLotus is also known as:

Table 2765. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus
https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/

HLOADER

The tag is: misp-galaxy:malpedia="HLOADER"

HLOADER is also known as:

Table 2766. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hloader
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

HZ RAT (OS X)

The tag is: misp-galaxy:malpedia="HZ RAT (OS X)"

HZ RAT (OS X) is also known as:

Table 2767. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hz_rat
https://www.intego.com/mac-security-blog/new-macos-malware-hz-rat-gives-attackers-backdoor-access-to-macs/

iMuler

The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:

capture screenshots
exfiltrate files to a remote computer
send various information about the infected computer
extract ZIP archive
download files from a remote computer and/or the Internet
run executable files

The tag is: misp-galaxy:malpedia="iMuler"

iMuler is also known as:

Revir

Table 2768. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler
https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/
http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html
https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/

Interception (OS X)

The tag is: misp-galaxy:malpedia="Interception (OS X)"

Interception (OS X) is also known as:

Table 2769. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.interception
https://twitter.com/ESETresearch/status/1559553324998955010
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto

Janicab (OS X)

According to Patrick Wardle, this malware persists a python script as a cron job. Steps: 1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. 2. Appends its new job to this file. 3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.

The tag is: misp-galaxy:malpedia="Janicab (OS X)"

Janicab (OS X) is also known as:

Table 2770. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab
https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/
https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/
https://www.macmark.de/blog/osx_blog_2013-08-a.php
https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/
https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/
https://www.malwarology.com/posts/5-janicab-part_1/
https://securelist.com/deathstalker-mercenary-triumvirate/98177/
https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html
https://archive.f-secure.com/weblog/archives/00002576.html
https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/
https://securelist.com/apt-trends-report-q3-2020/99204/

JokerSpy

The tag is: misp-galaxy:malpedia="JokerSpy"

JokerSpy is also known as:

Table 2771. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.jokerspy
https://www.elastic.co/security-labs/inital-research-of-jokerspy

KANDYKORN

The tag is: misp-galaxy:malpedia="KANDYKORN"

KANDYKORN is also known as:

Table 2772. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.kandykorn
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

KeRanger

The tag is: misp-galaxy:malpedia="KeRanger"

KeRanger is also known as:

Table 2773. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
https://objective-see.com/blog/blog_0x16.html
https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html

Keydnap

The tag is: misp-galaxy:malpedia="Keydnap"

Keydnap is also known as:

Table 2774. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap
https://github.com/eset/malware-ioc/tree/master/keydnap
https://objective-see.com/blog/blog_0x16.html
https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/
http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Kitmos

The tag is: misp-galaxy:malpedia="Kitmos"

Kitmos is also known as:

KitM

Table 2775. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos
https://www.f-secure.com/weblog/archives/00002558.html

Komplex

The tag is: misp-galaxy:malpedia="Komplex"

Komplex is also known as:

JHUHUGIT
JKEYSKW
SedUploader

Table 2776. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex
https://objective-see.com/blog/blog_0x16.html
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/

Kuiper (OS X)

The tag is: misp-galaxy:malpedia="Kuiper (OS X)"

Kuiper (OS X) is also known as:

Table 2777. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.kuiper
https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/

Lador

The tag is: misp-galaxy:malpedia="Lador"

Lador is also known as:

Table 2778. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.lador
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities/

Lambert (OS X)

The tag is: misp-galaxy:malpedia="Lambert (OS X)"

Lambert (OS X) is also known as:

GreenLambert

Table 2779. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.lambert
https://objective-see.com/blog/blog_0x68.html

Laoshu

The tag is: misp-galaxy:malpedia="Laoshu"

Laoshu is also known as:

Table 2780. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu
https://objective-see.com/blog/blog_0x16.html
https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/

Leverage

The tag is: misp-galaxy:malpedia="Leverage"

Leverage is also known as:

Table 2781. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage
https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/
https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis

LockBit (OS X)

The tag is: misp-galaxy:malpedia="LockBit (OS X)"

LockBit (OS X) is also known as:

Table 2782. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.lockbit
https://www.washingtonpost.com/business/2024/02/20/lockbit-ransomware-cronos-nca-fbi/
https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group
https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79
https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation
https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/
https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf
https://twitter.com/malwrhunterteam/status/1647384505550876675
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/
https://analyst1.com/lockbit-takedown-operation-cronos-a-long-awaited-psyops-against-ransomware/

MacDownloader

The tag is: misp-galaxy:malpedia="MacDownloader"

MacDownloader is also known as:

Table 2783. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://iranthreats.github.io/resources/macdownloader-macos-malware/

MacInstaller

The tag is: misp-galaxy:malpedia="MacInstaller"

MacInstaller is also known as:

Table 2784. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller
https://objective-see.com/blog/blog_0x16.html

MacRansom

The tag is: misp-galaxy:malpedia="MacRansom"

MacRansom is also known as:

Table 2785. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom
https://objective-see.com/blog/blog_0x1E.html
https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service

MacSpy

The tag is: misp-galaxy:malpedia="MacSpy"

MacSpy is also known as:

Table 2786. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

MacVX

The tag is: misp-galaxy:malpedia="MacVX"

MacVX is also known as:

Table 2787. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx
https://objective-see.com/blog/blog_0x16.html

MaMi

The tag is: misp-galaxy:malpedia="MaMi"

MaMi is also known as:

Table 2788. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami
https://objective-see.com/blog/blog_0x26.html

Manuscrypt

The tag is: misp-galaxy:malpedia="Manuscrypt"

Manuscrypt is also known as:

Table 2789. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt
https://twitter.com/BitsOfBinary/status/1337330286787518464
https://www.anquanke.com/post/id/223817
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://twitter.com/BitsOfBinary/status/1321488299932983296

Mokes (OS X)

The tag is: misp-galaxy:malpedia="Mokes (OS X)"

Mokes (OS X) is also known as:

Table 2790. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes
https://objective-see.com/blog/blog_0x16.html
https://objective-see.com/blog/blog_0x53.html
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/

Mughthesec

The tag is: misp-galaxy:malpedia="Mughthesec"

Mughthesec is also known as:

Table 2791. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec
https://objective-see.com/blog/blog_0x20.html

NetWire

The tag is: misp-galaxy:malpedia="NetWire"

NetWire is also known as:

Table 2792. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.netwire
https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/

OceanLotus

According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

The tag is: misp-galaxy:malpedia="OceanLotus"

OceanLotus is also known as:

Table 2793. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468
https://brandefense.io/blog/apt-groups/ocean-lotus-apt-group/

Olyx

The tag is: misp-galaxy:malpedia="Olyx"

Olyx is also known as:

Table 2794. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
https://news.drweb.com/show/?i=1750&lng=en&c=14

oRAT

SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.

The tag is: misp-galaxy:malpedia="oRAT"

oRAT is also known as:

Table 2795. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat
https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/

OSAMiner

The tag is: misp-galaxy:malpedia="OSAMiner"

OSAMiner is also known as:

Table 2796. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer
https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

Patcher

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user’s files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user’s directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

The tag is: misp-galaxy:malpedia="Patcher"

Patcher is also known as:

FileCoder
Findzip

Table 2797. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher
http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/

PintSized

Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.

The tag is: misp-galaxy:malpedia="PintSized"

PintSized is also known as:

Table 2798. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized
https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/

Pirrit

The tag is: misp-galaxy:malpedia="Pirrit"

Pirrit is also known as:

Table 2799. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
https://forensicitguy.github.io/analyzing-pirrit-adware-installer/
http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/
https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf

POOLRAT

The tag is: misp-galaxy:malpedia="POOLRAT"

POOLRAT is also known as:

SIMPLESEA
SIMPLETEA

Table 2800. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.poolrat
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf
https://www.3cx.com/blog/news/mandiant-security-update2/

Poseidon (OS X)

Part of Mythic C2, written in Golang.

The tag is: misp-galaxy:malpedia="Poseidon (OS X)"

Poseidon (OS X) is also known as:

Table 2801. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidon
https://github.com/MythicAgents/poseidon

Poseidon Stealer

macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.

The tag is: misp-galaxy:malpedia="Poseidon Stealer"

Poseidon Stealer is also known as:

Rodrigo Stealer

Table 2802. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidonstealer
https://www.malwarebytes.com/blog/news/2024/06/poseidon-mac-stealer-distributed-via-google-ads
https://github.com/govcert-ch/CTI/tree/main/20240627_macOS_PoseidonStealer
https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/poseidon_bericht.html

Proton RAT

Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.

The tag is: misp-galaxy:malpedia="Proton RAT"

Proton RAT is also known as:

Calisto

Table 2803. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat
https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
https://objective-see.com/blog/blog_0x1D.html
https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does
https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/
https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/
https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf
https://securelist.com/calisto-trojan-for-macos/86543/
https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/
https://objective-see.com/blog/blog_0x1F.html

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

The tag is: misp-galaxy:malpedia="Pwnet"

Pwnet is also known as:

Table 2804. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet
https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/

Dok

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

The tag is: misp-galaxy:malpedia="Dok"

Dok is also known as:

Retefe

Table 2805. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/
http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

RustBucket (OS X)

The tag is: misp-galaxy:malpedia="RustBucket (OS X)"

RustBucket (OS X) is also known as:

Table 2806. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket
https://sansorg.egnyte.com/dl/3P3HxFiNgL
https://securelist.com/bluenoroff-new-macos-malware/111290/
https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/
https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/

Shlayer

According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.

In most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.

The tag is: misp-galaxy:malpedia="Shlayer"

Shlayer is also known as:

Table 2807. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer
https://www.cisecurity.org/insights/blog/top-10-malware-march-2022
https://securelist.com/shlayer-for-macos/95724/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://objective-see.com/blog/blog_0x64.html
https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/
https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508
https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf

Silver Sparrow

According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.

The tag is: misp-galaxy:malpedia="Silver Sparrow"

Silver Sparrow is also known as:

Table 2808. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow
https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf
https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis

SimpleTea (OS X)

SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).

It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.

SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.

The tag is: misp-galaxy:malpedia="SimpleTea (OS X)"

SimpleTea (OS X) is also known as:

Table 2809. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.simpletea
https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf

SpectralBlur (OS X)

The tag is: misp-galaxy:malpedia="SpectralBlur (OS X)"

SpectralBlur (OS X) is also known as:

Table 2810. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.spectral_blur
https://twitter.com/greglesnewich/status/1742575613834084684

SUGARLOADER

The tag is: misp-galaxy:malpedia="SUGARLOADER"

SUGARLOADER is also known as:

Table 2811. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.sugarloader
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

SysJoker (OS X)

The tag is: misp-galaxy:malpedia="SysJoker (OS X)"

SysJoker (OS X) is also known as:

Table 2812. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.sysjoker
https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/
https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html
https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

systemd

General purpose backdoor

The tag is: misp-galaxy:malpedia="systemd"

systemd is also known as:

Demsty
ReverseWindow

Table 2813. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd
https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf
https://securelist.com/windealer-dealing-on-the-side/105946/

Tsunami (OS X)

The tag is: misp-galaxy:malpedia="Tsunami (OS X)"

Tsunami (OS X) is also known as:

Table 2814. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami
https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks

Unidentified macOS 001 (UnionCryptoTrader)

The tag is: misp-galaxy:malpedia="Unidentified macOS 001 (UnionCryptoTrader)"

Unidentified macOS 001 (UnionCryptoTrader) is also known as:

Table 2815. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment
https://securelist.com/operation-applejeus-sequel/95596/
https://objective-see.com/blog/blog_0x51.html

UpdateAgent

The tag is: misp-galaxy:malpedia="UpdateAgent"

UpdateAgent is also known as:

Table 2816. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent
https://twitter.com/sysopfb/status/1532442456343691273
https://www.jamf.com/blog/updateagent-adapts-again/
https://www.esentire.com/blog/updateagent-macos-malware
https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/

Uroburos (OS X)

The tag is: misp-galaxy:malpedia="Uroburos (OS X)"

Uroburos (OS X) is also known as:

Table 2817. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos
https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/
https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/

Vigram

The tag is: misp-galaxy:malpedia="Vigram"

Vigram is also known as:

WizardUpdate

Table 2818. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram
https://twitter.com/MsftSecIntel/status/1451279679059488773
https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/
https://twitter.com/ConfiantIntel/status/1351559054565535745

WatchCat

The tag is: misp-galaxy:malpedia="WatchCat"

WatchCat is also known as:

Table 2819. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat
https://objective-see.com/blog/blog_0x5F.html
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

WindTail

The tag is: misp-galaxy:malpedia="WindTail"

WindTail is also known as:

Table 2820. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail
https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/
https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/
https://objective-see.com/blog/blog_0x3B.html
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf
https://objective-see.com/blog/blog_0x3D.html

Winnti (OS X)

The tag is: misp-galaxy:malpedia="Winnti (OS X)"

Winnti (OS X) is also known as:

Table 2821. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti
https://401trg.pw/winnti-evolution-going-open-source/

WireLurker (OS X)

The tag is: misp-galaxy:malpedia="WireLurker (OS X)"

WireLurker (OS X) is also known as:

Table 2822. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker
https://objective-see.com/blog/blog_0x16.html
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Wirenet (OS X)

The tag is: misp-galaxy:malpedia="Wirenet (OS X)"

Wirenet (OS X) is also known as:

Table 2823. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet
https://news.drweb.com/show/?i=2679&lng=en&c=14
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html
https://objective-see.com/blog/blog_0x43.html

X-Agent (OS X)

The tag is: misp-galaxy:malpedia="X-Agent (OS X)"

X-Agent (OS X) is also known as:

Table 2824. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent
https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf
http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://twitter.com/PhysicalDrive0/status/845009226388918273

XCSSET

The tag is: misp-galaxy:malpedia="XCSSET"

XCSSET is also known as:

Table 2825. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/
https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
https://objective-see.com/blog/blog_0x5F.html
https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities
https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram—other-apps.html
https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/
https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html

Xloader

Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.

Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.

Not to be confused with apk.xloader or ios.xloader.

The tag is: misp-galaxy:malpedia="Xloader"

Xloader is also known as:

Formbook

Table 2826. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader
https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/
https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/
https://medium.com/@shaddy43/layers-of-deception-analyzing-the-complex-stages-of-xloader-4-3-malware-evolution-2dcb550b98d9
https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/
https://www.lac.co.jp/lacwatch/report/20220307_002893.html
https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/
https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya
https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/
https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/
https://twitter.com/krabsonsecurity/status/1319463908952969216
https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption
https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/
https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer
https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/

XSLCmd

The tag is: misp-galaxy:malpedia="XSLCmd"

XSLCmd is also known as:

Table 2827. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd
https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
https://objective-see.com/blog/blog_0x16.html

Yort

The tag is: misp-galaxy:malpedia="Yort"

Yort is also known as:

Table 2828. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort
https://objective-see.com/blog/blog_0x53.html
https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

ZuRu

A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).

The tag is: misp-galaxy:malpedia="ZuRu"

ZuRu is also known as:

Table 2829. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru
https://objective-see.com/blog/blog_0x66.html
https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html

Ani-Shell

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.

The tag is: misp-galaxy:malpedia="Ani-Shell"

Ani-Shell is also known as:

anishell

Table 2830. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell
https://github.com/tennc/webshell/tree/master/php/Ani-Shell
http://ani-shell.sourceforge.net/

ANTAK

Antak is a webshell written in ASP.Net which utilizes PowerShell.

The tag is: misp-galaxy:malpedia="ANTAK"

ANTAK is also known as:

Table 2831. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.antak
https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html

ASPXSpy

The tag is: misp-galaxy:malpedia="ASPXSpy"

ASPXSpy is also known as:

Table 2832. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.aspxspy
https://attack.mitre.org/groups/G0096
https://asec.ahnlab.com/en/47455/
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells

Behinder

A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.

The tag is: misp-galaxy:malpedia="Behinder"

Behinder is also known as:

Table 2833. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder
https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat
https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md
https://blog.gigamon.com/2022/09/28/investigating-web-shells/
https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/

c99shell

C99shell is a PHP backdoor that provides a lot of functionality, for example:

run shell commands;
download/upload files from and to the server (FTP functionality);
full access to all files on the hard disk;
self-delete functionality.

The tag is: misp-galaxy:malpedia="c99shell"

c99shell is also known as:

Table 2834. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.c99
https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion’s File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.

The tag is: misp-galaxy:malpedia="DEWMODE"

DEWMODE is also known as:

Table 2835. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf
https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a

Ensikology

The tag is: misp-galaxy:malpedia="Ensikology"

Ensikology is also known as:

Ensiko

Table 2836. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology
https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/

p0wnyshell

The tag is: misp-galaxy:malpedia="p0wnyshell"

p0wnyshell is also known as:

Ponyshell
Pownyshell

Table 2837. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.p0wnyshell
https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Parrot TDS WebShell

In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.

The tag is: misp-galaxy:malpedia="Parrot TDS WebShell"

Parrot TDS WebShell is also known as:

Table 2838. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.parrot_tds_shell
https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

PAS

The tag is: misp-galaxy:malpedia="PAS"

PAS is also known as:

Table 2839. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.pas
https://securelist.com/apt-trends-report-q1-2021/101967/
https://blog.erratasec.com/2016/12/some-notes-on-iocs.html
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

Prometheus Backdoor

Backdoor written in php

The tag is: misp-galaxy:malpedia="Prometheus Backdoor"

Prometheus Backdoor is also known as:

Table 2840. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus
https://blog.group-ib.com/prometheus-tds

RedHat Hacker WebShell

The tag is: misp-galaxy:malpedia="RedHat Hacker WebShell"

RedHat Hacker WebShell is also known as:

Table 2841. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker
https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp

WSO

The tag is: misp-galaxy:malpedia="WSO"

WSO is also known as:

Webshell by Orb

Table 2842. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.wso
https://securelist.com/energetic-bear-crouching-yeti/85345/
https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903

Silence DDoS

The tag is: misp-galaxy:malpedia="Silence DDoS"

Silence DDoS is also known as:

Table 2843. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos
https://www.group-ib.com/resources/threat-research/silence.html

BlackSun

Ransomware.

The tag is: misp-galaxy:malpedia="BlackSun"

BlackSun is also known as:

Table 2844. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.blacksun
https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html

BONDUPDATER

The tag is: misp-galaxy:malpedia="BONDUPDATER"

BONDUPDATER is also known as:

Glimpse
Poison Frog

Table 2845. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://ironnet.com/blog/chirp-of-the-poisonfrog/
https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933
https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.netscout.com/blog/asert/tunneling-under-sands
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://nsfocusglobal.com/apt34-event-analysis-report/
https://marcoramilli.com/2019/05/02/apt34-glimpse-project/

CASHY200

The tag is: misp-galaxy:malpedia="CASHY200"

CASHY200 is also known as:

Table 2846. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200
https://unit42.paloaltonetworks.com/atoms/hunter-serpens/
https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/

EugenLoader

A loader written in Powershell, usually delivered packaged in MSI/MSIX files.

The tag is: misp-galaxy:malpedia="EugenLoader"

EugenLoader is also known as:

FakeBat
NUMOZYLOD
PaykLoader

Table 2847. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.eugenloader
https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs
https://intel471.com/blog/malvertising-surges-to-distribute-malware
https://esentire-dot-com-assets.s3.amazonaws.com/assets/resourcefiles/eSentire-Unraveling_BatLoader_and_FakeBat.pdf
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/

FlowerPower

The tag is: misp-galaxy:malpedia="FlowerPower"

FlowerPower is also known as:

BoBoStealer

Table 2848. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://www.youtube.com/watch?v=rfzmHjZX70s
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://vblocalhost.com/uploads/VB2020-46.pdf
https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf

FRat Loader

Loader used to deliver FRat (see family windows.frat)

The tag is: misp-galaxy:malpedia="FRat Loader"

FRat Loader is also known as:

Table 2849. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md

FTCODE

The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.

The tag is: misp-galaxy:malpedia="FTCODE"

FTCODE is also known as:

Table 2850. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode
https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/
https://www.certego.net/en/news/malware-tales-ftcode/
https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm
https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md
https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html
https://www.zscaler.com/blogs/research/ftcode-ransomware—new-version-includes-stealing-capabilities

GhostMiner

The tag is: misp-galaxy:malpedia="GhostMiner"

GhostMiner is also known as:

Table 2851. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer
https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/
https://research.checkpoint.com/malware-against-the-c-monoculture/
https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless

HTTP-Shell

The author describes this open source shell as follows. HTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.

This shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.

The tag is: misp-galaxy:malpedia="HTTP-Shell"

HTTP-Shell is also known as:

Table 2852. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.http_shell
https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition
https://github.com/JoelGMSec/HTTP-Shell

JasperLoader

The tag is: misp-galaxy:malpedia="JasperLoader"

JasperLoader is also known as:

Table 2853. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader
https://blog.threatstop.com/upgraded-jasperloader-infecting-machines
https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html
https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html

Lazyscripter

The tag is: misp-galaxy:malpedia="Lazyscripter"

Lazyscripter is also known as:

Table 2854. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lazyscripter
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter

LightBot

According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.

The tag is: misp-galaxy:malpedia="LightBot"

LightBot is also known as:

Table 2855. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot
https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/
https://twitter.com/VK_Intel/status/1329511151202349057

Octopus (Powershell)

The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."

It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.

The tag is: misp-galaxy:malpedia="Octopus (Powershell)"

Octopus (Powershell) is also known as:

Table 2856. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus
https://isc.sans.edu/diary/rss/28628
https://isc.sans.edu/diary/26918
https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://github.com/mhaskar/Octopus

OilRig

The tag is: misp-galaxy:malpedia="OilRig"

OilRig is also known as:

Table 2857. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig
https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html
https://threatpost.com/oilrig-apt-unique-backdoor/157646/
https://twitter.com/MJDutch/status/1074820959784321026?s=19

PhonyC2

The tag is: misp-galaxy:malpedia="PhonyC2"

PhonyC2 is also known as:

Table 2858. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.phonyc2
https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater
https://www.deepinstinct.com/blog/muddyc2go-latest-c2-framework-used-by-iranian-apt-muddywater-spotted-in-israel
https://circleid.com/posts/20230824-signs-of-muddywater-developments-found-in-the-dns
https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps

POSHSPY

The tag is: misp-galaxy:malpedia="POSHSPY"

POSHSPY is also known as:

Table 2859. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://github.com/matthewdunwoody/POSHSPY

PowerBrace

The tag is: misp-galaxy:malpedia="PowerBrace"

PowerBrace is also known as:

Table 2860. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace
https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/
https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor

PowerHarbor

PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.

The tag is: misp-galaxy:malpedia="PowerHarbor"

PowerHarbor is also known as:

Table 2861. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerharbor
https://insight-jp.nttsecurity.com/post/102ignh/steelcloverpowerharbor

PowerPepper

The tag is: misp-galaxy:malpedia="PowerPepper"

PowerPepper is also known as:

Table 2862. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper
https://twitter.com/InQuest/status/1285295975347650562
https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/

POWERPIPE

The tag is: misp-galaxy:malpedia="POWERPIPE"

POWERPIPE is also known as:

Table 2863. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

POWERPLANT

This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a "vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server."

The tag is: misp-galaxy:malpedia="POWERPLANT"

POWERPLANT is also known as:

Table 2864. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerplant
https://www.mandiant.com/resources/evolution-of-fin7

powershell_web_backdoor

The tag is: misp-galaxy:malpedia="powershell_web_backdoor"

powershell_web_backdoor is also known as:

Table 2865. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor
https://github.com/chrisjd20/powershell_web_backdoor

PowerShortShell

The tag is: misp-galaxy:malpedia="PowerShortShell"

PowerShortShell is also known as:

Table 2866. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershortshell
https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/

PowerShower

The tag is: misp-galaxy:malpedia="PowerShower"

PowerShower is also known as:

Table 2867. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower
https://unit42.paloaltonetworks.com/atoms/clean-ursa
https://securelist.com/recent-cloud-atlas-activity/92016/
https://unit42.paloaltonetworks.com/atoms/clean-ursa/
https://attack.mitre.org/groups/G0100/
https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability
https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/
https://securelist.com/recent-cloud-atlas-activity/92016
https://attack.mitre.org/groups/G0100

POWERSOURCE

POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.

The tag is: misp-galaxy:malpedia="POWERSOURCE"

POWERSOURCE is also known as:

Table 2868. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource
https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

PowerSpritz

The tag is: misp-galaxy:malpedia="PowerSpritz"

PowerSpritz is also known as:

Table 2869. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

POWERSTAR

The tag is: misp-galaxy:malpedia="POWERSTAR"

POWERSTAR is also known as:

Table 2870. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstar
https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/

POWERSTATS

POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

The tag is: misp-galaxy:malpedia="POWERSTATS"

POWERSTATS is also known as:

Valyria

Table 2871. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats
https://blog.prevailion.com/2020/01/summer-mirage.html
https://unit42.paloaltonetworks.com/atoms/boggyserpens/
https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611
https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html
https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html
https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf
https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/
https://www.secureworks.com/research/threat-profiles/cobalt-ulster
https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/
https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/
https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/
https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html
https://www.group-ib.com/blog/muddywater/
https://securelist.com/apt-trends-report-q2-2019/91897/
https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/
https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
https://www.cisa.gov/uscert/ncas/alerts/aa22-055a
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf
https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/
http://www.secureworks.com/research/threat-profiles/cobalt-ulster
https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater
https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html
https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/
https://mp.weixin.qq.com/s/NN_iRvwA6yOHFS9Z3A0RBA
https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/
https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html

POWERTON

The tag is: misp-galaxy:malpedia="POWERTON"

POWERTON is also known as:

Table 2872. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton
https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/
https://norfolkinfosec.com/apt33-powershell-malware/
https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html
https://www.symantec.com/security-center/writeup/2019-062513-4935-99

POWERTRASH

This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant’s blog article: "POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub."

The tag is: misp-galaxy:malpedia="POWERTRASH"

POWERTRASH is also known as:

Table 2873. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-widely-abused-msix-app-installer-disabled-by-microsoft-active-iocs
https://www.mandiant.com/resources/blog/evolution-of-fin7
https://www.mandiant.com/resources/evolution-of-fin7

PowerWare

The tag is: misp-galaxy:malpedia="PowerWare"

PowerWare is also known as:

Table 2874. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware
https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats

PowerZure

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.

The tag is: misp-galaxy:malpedia="PowerZure"

PowerZure is also known as:

Table 2875. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure
https://github.com/hausec/PowerZure

PowerMagic

The tag is: misp-galaxy:malpedia="PowerMagic"

PowerMagic is also known as:

Table 2876. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_magic
https://securelist.com/bad-magic-apt/109087/
https://securelist.com/cloudwizard-apt/109722/
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger
https://securelist.com/bad-magic-apt/109087/?s=31

PowerRAT

The tag is: misp-galaxy:malpedia="PowerRAT"

PowerRAT is also known as:

Table 2877. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_rat
https://blog.talosintelligence.com/gophish-powerrat-dcrat/

PowGoop

DLL loader that decrypts and runs a powershell-based downloader.

The tag is: misp-galaxy:malpedia="PowGoop"

PowGoop is also known as:

Table 2878. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf
https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant
https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html
https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611
https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/
https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf
https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://unit42.paloaltonetworks.com/thanos-ransomware/
https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

POWRUNER

The tag is: misp-galaxy:malpedia="POWRUNER"

POWRUNER is also known as:

Table 2879. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner
https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae

PresFox

The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.

The tag is: misp-galaxy:malpedia="PresFox"

PresFox is also known as:

Table 2880. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox
https://twitter.com/kafeine/status/1092000556598677504

QUADAGENT

The tag is: misp-galaxy:malpedia="QUADAGENT"

QUADAGENT is also known as:

Table 2881. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html
https://youtu.be/pBDu8EGWRC4?t=2492

RandomQuery (Powershell)

A set of powershell scripts, using services like Google Docs and Dropbox as C2.

The tag is: misp-galaxy:malpedia="RandomQuery (Powershell)"

RandomQuery (Powershell) is also known as:

Table 2882. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.randomquery
https://www.securonix.com/blog/securonix-threat-research-security-advisory-new-deepgosu-attack-campaign/

RMOT

According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.

The tag is: misp-galaxy:malpedia="RMOT"

RMOT is also known as:

Table 2883. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.rmot
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html

RogueRobin

The tag is: misp-galaxy:malpedia="RogueRobin"

RogueRobin is also known as:

Table 2884. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin
https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/

Royal Ransom (Powershell)

Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.

The tag is: misp-galaxy:malpedia="Royal Ransom (Powershell)"

Royal Ransom (Powershell) is also known as:

Table 2885. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.royal_ransom
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Schtasks

The tag is: misp-galaxy:malpedia="Schtasks"

Schtasks is also known as:

Table 2886. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks
https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1

skyrat

The tag is: misp-galaxy:malpedia="skyrat"

skyrat is also known as:

Table 2887. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat
https://github.com/YSCHGroup/SkyRAT

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

The tag is: misp-galaxy:malpedia="sLoad"

sLoad is also known as:

Starslord

Table 2888. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload
https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9
https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html
https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/
https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/
https://blog.minerva-labs.com/sload-targeting-europe-again
https://threatpost.com/sload-spying-payload-delivery-bits/151120/
https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/
https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy
https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/
https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/
https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/
https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan
https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf

Snugy

The tag is: misp-galaxy:malpedia="Snugy"

Snugy is also known as:

Table 2889. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy
https://unit42.paloaltonetworks.com/atoms/hunter-serpens/
https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/

STEELHOOK

The tag is: misp-galaxy:malpedia="STEELHOOK"

STEELHOOK is also known as:

Table 2890. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.steelhook
https://cert.gov.ua/article/6276894

SUBTLE-PAWS

The tag is: misp-galaxy:malpedia="SUBTLE-PAWS"

SUBTLE-PAWS is also known as:

Table 2891. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.subtle_paws
https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/

Swrort Stager

The tag is: misp-galaxy:malpedia="Swrort Stager"

Swrort Stager is also known as:

Table 2892. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.swrort
https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf

Tater PrivEsc

The tag is: misp-galaxy:malpedia="Tater PrivEsc"

Tater PrivEsc is also known as:

Table 2893. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater
https://github.com/Kevin-Robertson/Tater

ThunderShell

The tag is: misp-galaxy:malpedia="ThunderShell"

ThunderShell is also known as:

Table 2894. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell
https://github.com/Mr-Un1k0d3r/ThunderShell

Unidentified PS 001

Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.

The tag is: misp-galaxy:malpedia="Unidentified PS 001"

Unidentified PS 001 is also known as:

Table 2895. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001
https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/

Unidentified PS 002 (RAT)

A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.

The tag is: misp-galaxy:malpedia="Unidentified PS 002 (RAT)"

Unidentified PS 002 (RAT) is also known as:

Table 2896. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002
https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/
https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/

Unidentified PS 003 (RAT)

This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.

The tag is: misp-galaxy:malpedia="Unidentified PS 003 (RAT)"

Unidentified PS 003 (RAT) is also known as:

Table 2897. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_003
https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/

Unidentified PS 004 (RAT)

The tag is: misp-galaxy:malpedia="Unidentified PS 004 (RAT)"

Unidentified PS 004 (RAT) is also known as:

Table 2898. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_004
https://somedieyoungzz.github.io/posts/kimsucky-2/

ViperSoftX

The tag is: misp-galaxy:malpedia="ViperSoftX"

ViperSoftX is also known as:

Table 2899. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.vipersoftx
https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/
https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

WannaMine

The tag is: misp-galaxy:malpedia="WannaMine"

WannaMine is also known as:

Table 2900. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine
https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry
https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/
https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf
https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/
https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/
https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/

WannaRen Downloader

The tag is: misp-galaxy:malpedia="WannaRen Downloader"

WannaRen Downloader is also known as:

Table 2901. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader
https://twitter.com/blackorbird/status/1247834024711577601

WMImplant

The tag is: misp-galaxy:malpedia="WMImplant"

WMImplant is also known as:

Table 2902. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

AndroxGh0st

According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

The tag is: misp-galaxy:malpedia="AndroxGh0st"

AndroxGh0st is also known as:

Androx
AndroxGhost

Table 2903. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.androxgh0st
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/

Archivist

The tag is: misp-galaxy:malpedia="Archivist"

Archivist is also known as:

Table 2904. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist
https://github.com/NullArray/Archivist

Ares (Python)

Ares is a Python RAT.

The tag is: misp-galaxy:malpedia="Ares (Python)"

Ares (Python) is also known as:

Table 2905. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.ares
https://github.com/sweetsoftware/Ares
https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/

BlankGrabber

Stealer written in Python 3, typically distributed bundled via PyInstaller.

The tag is: misp-galaxy:malpedia="BlankGrabber"

BlankGrabber is also known as:

Table 2906. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber
https://github.com/Blank-c/Blank-Grabber
https://www.linkedin.com/feed/update/urn:li:activity:7247179869443264512/

BrickerBot

The tag is: misp-galaxy:malpedia="BrickerBot"

BrickerBot is also known as:

Table 2907. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot
https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A
http://seclists.org/fulldisclosure/2017/Mar/7
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/
https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/
http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f
https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/

Creal Stealer

Stealer written in Python.

The tag is: misp-galaxy:malpedia="Creal Stealer"

Creal Stealer is also known as:

Table 2908. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.creal_stealer
https://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/

DropboxC2C

The tag is: misp-galaxy:malpedia="DropboxC2C"

DropboxC2C is also known as:

Table 2909. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c
https://github.com/0x09AL/DropboxC2C

Empyrean

Discord Stealer written in Python with Javascript-based inject files.

The tag is: misp-galaxy:malpedia="Empyrean"

Empyrean is also known as:

Table 2910. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.empyrean
https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord

Evil Ant

Ransomware written in Python.

The tag is: misp-galaxy:malpedia="Evil Ant"

Evil Ant is also known as:

Table 2911. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.evil_ant
https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/

Guard

According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.

The tag is: misp-galaxy:malpedia="Guard"

Guard is also known as:

Table 2912. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.guard
https://securelist.com/wildpressure-targets-macos/103072/

InvisibleFerret

The tag is: misp-galaxy:malpedia="InvisibleFerret"

InvisibleFerret is also known as:

Table 2913. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.invisibleferret
https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html
https://stacklok.com/blog/dependency-hijacking-dissecting-north-koreas-new-wave-of-defi-themed-open-source-attacks-targeting-developers
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west
https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/
https://securityscorecard.com/blog/the-job-offer-that-wasnt-how-we-stopped-an-espionage-plot

KeyPlexer

The tag is: misp-galaxy:malpedia="KeyPlexer"

KeyPlexer is also known as:

Table 2914. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer
https://github.com/nairuzabulhul/KeyPlexer

LaZagne

The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

The tag is: misp-galaxy:malpedia="LaZagne"

LaZagne is also known as:

Table 2915. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia
https://www.infinitumit.com.tr/apt-35/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf
https://attack.mitre.org/groups/G0100/
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://attack.mitre.org/groups/G0100
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
https://github.com/AlessandroZ/LaZagne
https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html

Lofy

The tag is: misp-galaxy:malpedia="Lofy"

Lofy is also known as:

LofyLife

Table 2916. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.lofy
https://securelist.com/lofylife-malicious-npm-packages/107014/

Loki RAT

This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/

The tag is: misp-galaxy:malpedia="Loki RAT"

Loki RAT is also known as:

Table 2917. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.lokirat
https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

MASEPIE

The tag is: misp-galaxy:malpedia="MASEPIE"

MASEPIE is also known as:

Table 2918. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.masepie
https://thehackernews.com/2024/03/apt28-hacker-group-targeting-europe.html?m=1
https://harfanglab.io/en/insidethelab/compromised-routers-infrastructure-target-europe-caucasus/
https://cert.gov.ua/article/6276894

N3Cr0m0rPh

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

The tag is: misp-galaxy:malpedia="N3Cr0m0rPh"

N3Cr0m0rPh is also known as:

FreakOut
Necro

Table 2919. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph
https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/
https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/
https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html
https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/
https://www.lacework.com/keksec-tsunami-ryuk/
https://blog.netlab.360.com/necro/
https://github.com/lacework/lacework-labs/tree/master/keksec
https://twitter.com/xuy1202/status/1393384128456794116
https://www.lacework.com/blog/the-kek-security-network/
https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/
https://www.lacework.com/the-kek-security-network/
https://twitter.com/xuy1202/status/1392089568384454657

NetWorm

The tag is: misp-galaxy:malpedia="NetWorm"

NetWorm is also known as:

Table 2920. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.networm
https://github.com/pylyf/NetWorm

PIRAT

The tag is: misp-galaxy:malpedia="PIRAT"

PIRAT is also known as:

Table 2921. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat
https://vk.com/m228228?w=wall306895781_177

Poet RAT

Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.

The tag is: misp-galaxy:malpedia="Poet RAT"

Poet RAT is also known as:

Table 2922. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/
https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/
https://blog.talosintelligence.com/2020/10/poetrat-update.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://securelist.com/apt-trends-report-q3-2020/99204/

poweRAT

The tag is: misp-galaxy:malpedia="poweRAT"

poweRAT is also known as:

Table 2923. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.powerat
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi

pupy (Python)

The tag is: misp-galaxy:malpedia="pupy (Python)"

pupy (Python) is also known as:

Table 2924. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://github.com/n1nj4sec/pupy

PyAesLoader

The tag is: misp-galaxy:malpedia="PyAesLoader"

PyAesLoader is also known as:

Table 2925. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader

PyArk

The tag is: misp-galaxy:malpedia="PyArk"

PyArk is also known as:

Table 2926. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyark
https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

pyback

The tag is: misp-galaxy:malpedia="pyback"

pyback is also known as:

Table 2927. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyback
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001
https://github.com/7h3w4lk3r/pyback

PY#RATION

According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.

The tag is: misp-galaxy:malpedia="PY#RATION"

PY#RATION is also known as:

Table 2928. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyration
https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/

PyVil

PyVil RAT

The tag is: misp-galaxy:malpedia="PyVil"

PyVil is also known as:

Table 2929. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil
https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat
https://twitter.com/ESETresearch/status/1360178593968623617

QUIETBOARD

The tag is: misp-galaxy:malpedia="QUIETBOARD"

QUIETBOARD is also known as:

Table 2930. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.quietboard
https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

The tag is: misp-galaxy:malpedia="Responder"

Responder is also known as:

SpiderLabs Responder

Table 2931. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.responder
https://github.com/lgandx/Responder
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

Saphyra

The tag is: misp-galaxy:malpedia="Saphyra"

Saphyra is also known as:

Table 2932. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra
https://www.youtube.com/watch?v=Bk-utzAlYFI
https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/

Serpent

According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.

The tag is: misp-galaxy:malpedia="Serpent"

Serpent is also known as:

Table 2933. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent
https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/
https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html
https://labs.k7computing.com/index.php/uncovering-the-serpent/

SpaceCow

The tag is: misp-galaxy:malpedia="SpaceCow"

SpaceCow is also known as:

Table 2934. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow
https://github.com/TheSph1nx/SpaceCow

stealler

The tag is: misp-galaxy:malpedia="stealler"

stealler is also known as:

Table 2935. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler
https://habr.com/en/sandbox/135410/

Stitch

The tag is: misp-galaxy:malpedia="Stitch"

Stitch is also known as:

Table 2936. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch
https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/
https://github.com/nathanlopez/Stitch

Stormous

The tag is: misp-galaxy:malpedia="Stormous"

Stormous is also known as:

Table 2937. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.stormous
https://twitter.com/H4ckManac/status/1765707886246723617

unidentified_002

The tag is: misp-galaxy:malpedia="unidentified_002"

unidentified_002 is also known as:

Table 2938. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002

unidentified_003

The tag is: misp-galaxy:malpedia="unidentified_003"

unidentified_003 is also known as:

Table 2939. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003

UPSTYLE

The tag is: misp-galaxy:malpedia="UPSTYLE"

UPSTYLE is also known as:

Table 2940. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.upstyle
https://unit42.paloaltonetworks.com/cve-2024-3400/
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Venomous

Ransomware written in Python and delivered as compiled executable created using PyInstaller.

The tag is: misp-galaxy:malpedia="Venomous"

Venomous is also known as:

Table 2941. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous
https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/

Venus Stealer

Venus Stealer is a python based Infostealer observed early 2023.

The tag is: misp-galaxy:malpedia="Venus Stealer"

Venus Stealer is also known as:

Table 2942. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.venus_stealer
https://twitter.com/0xToxin/status/1625435116771180546
https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/

VileRAT

The tag is: misp-galaxy:malpedia="VileRAT"

VileRAT is also known as:

Table 2943. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.vilerat
https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/

W4SP Stealer

A basic info stealer w/ some capability to inject code into legit applications.

The tag is: misp-galaxy:malpedia="W4SP Stealer"

W4SP Stealer is also known as:

Table 2944. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.w4sp_stealer
https://github.com/Im4wasp/W4SP-Stealer-V2/tree/main
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/

WIREFIRE

The tag is: misp-galaxy:malpedia="WIREFIRE"

WIREFIRE is also known as:

GIFTEDVISITOR

Table 2945. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.wirefire
https://medium.com/mitre-engenuity/technical-deep-dive-understanding-the-anatomy-of-a-cyber-intrusion-080bddc679f3

KV

The tag is: misp-galaxy:malpedia="KV"

KV is also known as:

Table 2946. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/sh.kv
https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
https://www.securityweek.com/wp-content/uploads/2024/01/Volt-Typhoon.pdf
https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/
https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

xzbot

A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.

The tag is: misp-galaxy:malpedia="xzbot"

xzbot is also known as:

xzorcist

Table 2947. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/sh.xzbot
https://www.wired.com/story/jia-tan-xz-backdoor/
https://github.com/amlweems/xzbot
https://gynvael.coldwind.pl/?lang=en&id=782
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://twitter.com/fr0gger_/status/1774342248437813525
https://medium.com/@DCSO_CyTec/xz-backdoor-how-to-check-if-your-systems-are-affected-fb169b638271
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://www.linkedin.com/posts/threatmon_xz-utils-backdoor-cve-2024-3094-activity-7181228442791641088-rw2a?utm_source=share&utm_medium=member_desktop
https://www.sentinelone.com/blog/xz-utils-backdoor-threat-actor-planned-to-inject-further-vulnerabilities/
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
https://github.com/karcherm/xz-malware

FlexiSpy (symbian)

The tag is: misp-galaxy:malpedia="FlexiSpy (symbian)"

FlexiSpy (symbian) is also known as:

Table 2948. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

BASICSTAR

The tag is: misp-galaxy:malpedia="BASICSTAR"

BASICSTAR is also known as:

Table 2949. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.basicstar
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/

CageyChameleon

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

The tag is: misp-galaxy:malpedia="CageyChameleon"

CageyChameleon is also known as:

Cabbage RAT

Table 2950. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/
https://sansorg.egnyte.com/dl/3P3HxFiNgL
https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf
https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf
https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html
https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf
https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314
https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html
https://www.clearskysec.com/cryptocore-group/
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG
https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md

forbiks

The tag is: misp-galaxy:malpedia="forbiks"

forbiks is also known as:

Forbix

Table 2951. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks
https://persianov.net/windows-worms-forbix-worm-analysis
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99

GGLdr

The tag is: misp-galaxy:malpedia="GGLdr"

GGLdr is also known as:

Table 2952. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr
https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control

GlowSpark

The tag is: misp-galaxy:malpedia="GlowSpark"

GlowSpark is also known as:

Table 2953. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.glowspark
https://inquest.net/blog/2022/02/10/380-glowspark

Grinju Downloader

The tag is: misp-galaxy:malpedia="Grinju Downloader"

Grinju Downloader is also known as:

Table 2954. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju
https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce
https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8

HALFBAKED

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:

info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI
        queries
processList: Send list of process running
screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)
runvbs: Executes a VB script
runexe: Executes EXE file
runps1: Executes PowerShell script
delete: Delete the specified file
update: Update the specified file

The tag is: misp-galaxy:malpedia="HALFBAKED"

HALFBAKED is also known as:

Table 2955. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
https://attack.mitre.org/software/S0151/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf

HOMESTEEL

The tag is: misp-galaxy:malpedia="HOMESTEEL"

HOMESTEEL is also known as:

Table 2956. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.homesteel
https://cert.gov.ua/article/6281076

Iloveyou

The tag is: misp-galaxy:malpedia="Iloveyou"

Iloveyou is also known as:

Love Bug
LoveLetter

Table 2957. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186

Janicab (VBScript)

The tag is: misp-galaxy:malpedia="Janicab (VBScript)"

Janicab (VBScript) is also known as:

Table 2958. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.janicab
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/

lampion

Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files. The malware targets banking clients in Portugal.

The tag is: misp-galaxy:malpedia="lampion"

lampion is also known as:

Table 2959. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion
https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf
https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/
https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/
https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/
https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html
https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/
https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf
https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing
https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years
https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader

LitterDrifter

The tag is: misp-galaxy:malpedia="LitterDrifter"

LitterDrifter is also known as:

Table 2960. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.litterdrifter
https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/

lockscreen

The tag is: misp-galaxy:malpedia="lockscreen"

lockscreen is also known as:

Table 2961. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/

MOUSEISLAND

MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID.

The tag is: misp-galaxy:malpedia="MOUSEISLAND"

MOUSEISLAND is also known as:

Table 2962. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

NodeJS Ransomware

Downloads NodeJS when deployed.

The tag is: misp-galaxy:malpedia="NodeJS Ransomware"

NodeJS Ransomware is also known as:

Table 2963. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom
https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html

RandomQuery (VBScript)

According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.

The tag is: misp-galaxy:malpedia="RandomQuery (VBScript)"

RandomQuery (VBScript) is also known as:

Table 2964. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.randomquery
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

Starfighter (VBScript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

The tag is: misp-galaxy:malpedia="Starfighter (VBScript)"

Starfighter (VBScript) is also known as:

Table 2965. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter
https://github.com/Cn33liz/StarFighters

STARWHALE

The tag is: misp-galaxy:malpedia="STARWHALE"

STARWHALE is also known as:

Canopy
SloughRAT

Table 2966. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starwhale
https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html
https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706
https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html
https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611
https://www.mandiant.com/resources/telegram-malware-iranian-espionage
https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/
https://blog.talosintelligence.com/iranian-supergroup-muddywater/
https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/
https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html

Unidentified VBS 001

The tag is: misp-galaxy:malpedia="Unidentified VBS 001"

Unidentified VBS 001 is also known as:

Table 2967. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001
https://twitter.com/JohnLaTwC/status/1118278148993339392

Unidentified 002 (Operation Kremlin)

Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.

The tag is: misp-galaxy:malpedia="Unidentified 002 (Operation Kremlin)"

Unidentified 002 (Operation Kremlin) is also known as:

Table 2968. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002
https://www.clearskysec.com/operation-kremlin/

Unidentified 003 (Gamaredon Downloader)

The tag is: misp-galaxy:malpedia="Unidentified 003 (Gamaredon Downloader)"

Unidentified 003 (Gamaredon Downloader) is also known as:

Table 2969. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003
https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/
https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/
https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt

Unidentified VBS 004 (RAT)

Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.

The tag is: misp-galaxy:malpedia="Unidentified VBS 004 (RAT)"

Unidentified VBS 004 (RAT) is also known as:

Table 2970. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_004
https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/

Unidentified VBS 005 (Telegram Loader)

The tag is: misp-galaxy:malpedia="Unidentified VBS 005 (Telegram Loader)"

Unidentified VBS 005 (Telegram Loader) is also known as:

Table 2971. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_005
https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/
https://unit42.paloaltonetworks.com/trident-ursa/

Unidentified VBS 006 (Telegram Loader)

The tag is: misp-galaxy:malpedia="Unidentified VBS 006 (Telegram Loader)"

Unidentified VBS 006 (Telegram Loader) is also known as:

Table 2972. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_006
https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations
https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/

VBREVSHELL

According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.

The tag is: misp-galaxy:malpedia="VBREVSHELL"

VBREVSHELL is also known as:

Table 2973. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell
https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/
https://www.mandiant.com/media/17826
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/

WasabiSeed

The tag is: misp-galaxy:malpedia="WasabiSeed"

WasabiSeed is also known as:

Table 2974. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.wasabiseed
https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me
https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/

WhiteShadow

The tag is: misp-galaxy:malpedia="WhiteShadow"

WhiteShadow is also known as:

Table 2975. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

000Stealer

The tag is: misp-galaxy:malpedia="000Stealer"

000Stealer is also known as:

Table 2976. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.000stealer
https://twitter.com/3xp0rtblog/status/1509978637189419008

0bj3ctivityStealer

Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.

The tag is: misp-galaxy:malpedia="0bj3ctivityStealer"

0bj3ctivityStealer is also known as:

PXRECVOWEIWOEI

Table 2977. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.0bj3ctivity_stealer
https://twitter.com/suyog41/status/1688797716447432704
https://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/

3CX Backdoor (Windows)

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

The tag is: misp-galaxy:malpedia="3CX Backdoor (Windows)"

3CX Backdoor (Windows) is also known as:

SUDDENICON

Table 2978. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor
https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised
https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html
https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023
https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
https://securelist.com/it-threat-evolution-q2-2023/110355/
https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social
https://www.youtube.com/watch?v=fTX-vgSEfjk
https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/
https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack
https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html
https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack
https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update

404 Keylogger

Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.

The tag is: misp-galaxy:malpedia="404 Keylogger"

404 Keylogger is also known as:

404KeyLogger
Snake Keylogger

Table 2979. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
https://twitter.com/James_inthe_box/status/1401921257109561353
https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—89
https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware
https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/
https://any.run/cybersecurity-blog/analyzing-snake-keylogger/
https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/
https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html
https://blog.netlab.360.com/purecrypter
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/
https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware
https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf
https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter
https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/
https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/
https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/
https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://cert.gov.ua/article/955924
https://www.youtube.com/watch?v=vzyJp2w8bPE
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
https://habr.com/ru/company/group-ib/blog/477198/
https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger
https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—102
https://zw01f.github.io/malware%20analysis/snake/

4h_rat

The tag is: misp-galaxy:malpedia="4h_rat"

4h_rat is also known as:

Table 2980. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat
https://attack.mitre.org/groups/G0024
https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html
https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html
https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf

5.t Downloader

Downloader used in suspected APT attack against Vietnam.

The tag is: misp-galaxy:malpedia="5.t Downloader"

5.t Downloader is also known as:

Table 2981. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.5t_downloader
https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/
https://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/
https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/
https://blog.checkpoint.com/research/chinese-espionage-campaign-expands-to-target-africa-and-the-caribbean/
https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/

7ev3n

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

The tag is: misp-galaxy:malpedia="7ev3n"

7ev3n is also known as:

Table 2982. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n
https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/

8Base

The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.

The tag is: misp-galaxy:malpedia="8Base"

8Base is also known as:

Table 2983. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.8base
https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/
https://socradar.io/dark-web-profile-8base-ransomware/
https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html
https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/
https://blog.talosintelligence.com/deep-dive-into-phobos-ransomware/
https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
https://twitter.com/rivitna2/status/1674718854549831681
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/
https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape
https://circleid.com/posts/20240530-a-dns-investigation-of-the-phobos-ransomware-8base-attack
https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/

8.t Dropper

8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim’s machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

The tag is: misp-galaxy:malpedia="8.t Dropper"

8.t Dropper is also known as:

8t_dropper
RoyalRoad

Table 2984. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper
https://nao-sec.org/2021/01/royal-road-redive.html
https://blog.malwarelab.pl/posts/on_the_royal_road/
https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746
https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/
https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/
https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/
https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage
https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf
https://community.riskiq.com/article/56fa1b2f
https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf
https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241
https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
https://community.riskiq.com/article/5fe2da7f
https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology
https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a

9002 RAT

9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim’s machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.

The tag is: misp-galaxy:malpedia="9002 RAT"

9002 RAT is also known as:

HOMEUNIX
Hydraq
McRAT

Table 2985. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.9002
https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
https://www.infopoint-security.de/medien/the-elderwood-project.pdf
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf
https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.secureworks.com/research/threat-profiles/bronze-express
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf
https://attack.mitre.org/groups/G0001/
https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html
https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng
https://www.secureworks.com/research/threat-profiles/bronze-firestone
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures
https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html
http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
https://www.youtube.com/watch?v=-7Swd1ZetiQ
https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html

Abaddon

Uses Discord as C&C, has ransomware feature.

The tag is: misp-galaxy:malpedia="Abaddon"

Abaddon is also known as:

Table 2986. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/

AbaddonPOS

MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.

The tag is: misp-galaxy:malpedia="AbaddonPOS"

AbaddonPOS is also known as:

PinkKite
TinyPOS

Table 2987. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos
https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/
https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/
https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak
https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software

abantes

The tag is: misp-galaxy:malpedia="abantes"

abantes is also known as:

Table 2988. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes

Abbath Banker

The tag is: misp-galaxy:malpedia="Abbath Banker"

Abbath Banker is also known as:

Table 2989. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker

ABCsync

The tag is: misp-galaxy:malpedia="ABCsync"

ABCsync is also known as:

Table 2990. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abcsync
https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/

AbSent Loader

The tag is: misp-galaxy:malpedia="AbSent Loader"

AbSent Loader is also known as:

Table 2991. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader
https://twitter.com/cocaman/status/1260069549069733888
https://github.com/Tlgyt/AbSent-Loader

ACBackdoor (Windows)

A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

The tag is: misp-galaxy:malpedia="ACBackdoor (Windows)"

ACBackdoor (Windows) is also known as:

Table 2992. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor
https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

ACEHASH

ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

The tag is: misp-galaxy:malpedia="ACEHASH"

ACEHASH is also known as:

Table 2993. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash
https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.secureworks.com/research/threat-profiles/bronze-atlas

AcidBox

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

The tag is: misp-galaxy:malpedia="AcidBox"

AcidBox is also known as:

MagicScroll

Table 2994. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox
https://www.epicturla.com/blog/acidbox-clustering
https://securelist.com/apt-trends-report-q2-2020/97937/
https://unit42.paloaltonetworks.com/acidbox-rare-malware/
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

AcridRain

AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.

The tag is: misp-galaxy:malpedia="AcridRain"

AcridRain is also known as:

Table 2995. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain
https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/

Acronym

The tag is: misp-galaxy:malpedia="Acronym"

Acronym is also known as:

Table 2996. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym

ACR Stealer

First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named "SheldIO". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.

The tag is: misp-galaxy:malpedia="ACR Stealer"

ACR Stealer is also known as:

Table 2997. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer
https://twitter.com/sekoia_io/status/1784943443157930449
https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/
https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed

Action RAT

The tag is: misp-galaxy:malpedia="Action RAT"

Action RAT is also known as:

Table 2998. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat
https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence
https://threatmon.io/unraveling-the-complex-infection-chain-analysis-of-the-sidecopy-apts-attack-report/
https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/
https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/

Adamantium Thief

The tag is: misp-galaxy:malpedia="Adamantium Thief"

Adamantium Thief is also known as:

Table 2999. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief
https://twitter.com/ClearskySec/status/1377176015189929989
https://github.com/LimerBoy/Adamantium-Thief

AdamLocker

Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.

The tag is: misp-galaxy:malpedia="AdamLocker"

AdamLocker is also known as:

Table 3000. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker
https://twitter.com/JaromirHorejsi/status/813712587997249536
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016

Adhubllka

Some Ransomware distributed by TA547 in Australia

The tag is: misp-galaxy:malpedia="Adhubllka"

Adhubllka is also known as:

Table 3001. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka
https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign

AdKoob

The tag is: misp-galaxy:malpedia="AdKoob"

AdKoob is also known as:

Table 3002. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob
https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/

AdvisorsBot

AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.

The tag is: misp-galaxy:malpedia="AdvisorsBot"

AdvisorsBot is also known as:

Table 3003. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot
https://www.bromium.com/second-stage-attack-analysis/

Adylkuzz

The tag is: misp-galaxy:malpedia="Adylkuzz"

Adylkuzz is also known as:

Table 3004. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz
https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

AESRT

Ransomware written using .NET.

The tag is: misp-galaxy:malpedia="AESRT"

AESRT is also known as:

Table 3005. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aesrt
https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants

Afrodita

The tag is: misp-galaxy:malpedia="Afrodita"

Afrodita is also known as:

Table 3006. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita
https://twitter.com/CPResearch/status/1201957880909484033
https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md
https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html

AgendaCrypt

Ransomware written in Go.

The tag is: misp-galaxy:malpedia="AgendaCrypt"

AgendaCrypt is also known as:

Agenda
Qilin

Table 3007. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt
https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/
https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v
https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt

Agent.BTZ

The tag is: misp-galaxy:malpedia="Agent.BTZ"

Agent.BTZ is also known as:

ComRAT
Minit
Sun rootkit

Table 3008. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html
http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat
https://docs.broadcom.com/doc/waterbug-attack-group
https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d
https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4
https://artemonsecurity.com/snake_whitepaper.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified
https://unit42.paloaltonetworks.com/ironnetinjector/
http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/
https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/

Agent Racoon

Agent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing randomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a unique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an inherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware, active since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits and government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive Updater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection.

The tag is: misp-galaxy:malpedia="Agent Racoon"

Agent Racoon is also known as:

Table 3009. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_racoon
https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
https://unit42.paloaltonetworks.com/operation-diplomatic-specter/

Agent Tesla

A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host’s clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.

The tag is: misp-galaxy:malpedia="Agent Tesla"

Agent Tesla is also known as:

AgenTesla
AgentTesla
Negasteal

Table 3010. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols
https://www.inde.nz/blog/inside-agenttesla
https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/
https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/
https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla
https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/
https://www.bitsight.com/blog/data-insights-agenttesla-and-originlogger-victims
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/
https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya
https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4
https://www.telsy.com/download/4832/
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
https://www.youtube.com/watch?v=Q9_1xNbVQPY
https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/
https://isc.sans.edu/diary/rss/28190
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware
https://www.intrinsec.com/wp-content/uploads/2023/09/TLP-CLEAR-20230912-EN-GuLoader-Information-report.pdf
https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir
https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/
https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://isc.sans.edu/diary/27666
https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware
https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?
https://malwarebookreports.com/agent-teslaggah/
https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/
https://isc.sans.edu/diary/28202
https://viuleeenz.github.io/posts/2023/08/agent-tesla-building-an-effective-decryptor/
https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant
https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/
https://guillaumeorlando.github.io/AgentTesla
https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1
https://blog.minerva-labs.com/preventing-agenttesla
https://cert.gov.ua/article/861292
https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Agent%20Tesla/Agent%20Tesla%20Technical%20Analysis%20Report.pdf
https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack
https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/
https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html
https://blog.talosintelligence.com/ipfs-abuse/
https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354
https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla
https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/
https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/
https://inquest.net/blog/2021/11/02/adults-only-malware-lures
https://osamaellahi.medium.com/unfolding-agent-tesla-the-art-of-credentials-harvesting-f1a988cfd137
https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/
https://isc.sans.edu/diary/rss/27092
https://lab52.io/blog/a-twisted-malware-infection-chain/
https://www.secureworks.com/research/threat-profiles/gold-galleon
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf
https://stairwell.com/resources/proactive-response-anydesk-any-breach/
https://www.infinitumit.com.tr/agent-tesla-malware-raporu/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://asec.ahnlab.com/ko/29133/
https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/
https://research.checkpoint.com/2024/agent-tesla-targeting-united-states-and-australia/
https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader
https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://medium.com/@b.magnezi/malware-analysis-agenttesla-2af3d73a7825
https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr
https://youtu.be/hxaeWyK8gMI
https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://blog.netlab.360.com/purecrypter
https://guillaumeorlando.github.io/GorgonInfectionchain
https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html
https://youtu.be/QQuRp7Qiuzg
https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting
http://ropgadget.com/posts/originlogger.html
https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/
https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/
https://community.riskiq.com/article/56e28880
https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns
https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/
https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf
https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware
https://youtu.be/BM38OshcozE
https://unit42.paloaltonetworks.com/originlogger/
https://twitter.com/MsftSecIntel/status/1392219299696152578
https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/
https://forensicitguy.github.io/agenttesla-vba-certutil-download/
https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/
https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/
https://malwatch.github.io/posts/agent-tesla-malware-analysis/
https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/
https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/
https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/
https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/
https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/
https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor
http://www.secureworks.com/research/threat-profiles/gold-galleon
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/
https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html
https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/
https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/
https://www.cisecurity.org/insights/blog/top-10-malware-march-2022
https://securelist.com/agent-tesla-malicious-spam-campaign/107478/
https://community.riskiq.com/article/40000d46
http://blog.nsfocus.net/sweed-611/
https://www.lac.co.jp/lacwatch/report/20220307_002893.html
https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/
https://news.sophos.com/en-us/2020/05/14/raticate/
https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html
https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html
https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla
https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire
https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update
https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/
https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ
https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf
https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs
https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/
https://blog.malwarelab.pl/posts/basfu_aggah/
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://isc.sans.edu/diary/27088
https://www.secureworks.com/research/darktortilla-malware-analysis
https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/
https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/
https://youtu.be/7AifHTCldZI
https://menshaway.blogspot.com/2021/04/agenttesla-malware.html
https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/
https://cyber-forensics.blog/2024/05/06/formbook-analysis/
https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware
https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
https://community.riskiq.com/article/6337984e
http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/
https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/

AgfSpy

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

The tag is: misp-galaxy:malpedia="AgfSpy"

AgfSpy is also known as:

Table 3011. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy
https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html

Ahtapot

The tag is: misp-galaxy:malpedia="Ahtapot"

Ahtapot is also known as:

Table 3012. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot
https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf

Akira (Windows)

The tag is: misp-galaxy:malpedia="Akira (Windows)"

Akira (Windows) is also known as:

Table 3013. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.akira
https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/
https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/
https://arcticwolf.com/resources/blog/follow-on-extortion-campaign-targeting-victims-of-akira-and-royal-ransomware/
https://www.intrinsec.com/akira_ransomware/
https://cybercx.com.au/blog/akira-ransomware/
https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/
https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape
https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/
https://securelist.com/crimeware-report-fakesg-akira-amos/111483/
https://www.s-rminform.com/cyber-intelligence-briefing/uncovering-akira-privilege-escalation-techniques
https://www.loginsoft.com/post/akira-ransomware-the-evolution-of-a-major-threat
https://www.bankinfosecurity.com/blogs/akira-ransomware-apparently-in-decline-but-still-threat-p-3480
https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/
https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Ransomware/Akira/Akira-The_old_new_style_crime_EN_Aaron_Jornet.pdf
https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/
https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/
https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html
https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/
https://twitter.com/MalGamy12/status/1651972583615602694

Albaniiutas

The tag is: misp-galaxy:malpedia="Albaniiutas"

Albaniiutas is also known as:

BlueTraveller

Table 3014. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-targeting-governmental-agencies-in-east-asia
https://blog.group-ib.com/task
https://www.group-ib.com/blog/task/
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia
https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/

Aldibot

According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.

This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.

This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.

This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

The tag is: misp-galaxy:malpedia="Aldibot"

Aldibot is also known as:

Table 3015. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot

Alfonso Stealer

The tag is: misp-galaxy:malpedia="Alfonso Stealer"

Alfonso Stealer is also known as:

Table 3016. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer
https://twitter.com/3xp0rtblog/status/1344352253294104576
https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware

Project Alice

The tag is: misp-galaxy:malpedia="Project Alice"

Project Alice is also known as:

AliceATM
PrAlice

Table 3017. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html
https://www.symantec.com/security-center/writeup/2016-122104-0203-99
http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/

Alina POS

The tag is: misp-galaxy:malpedia="Alina POS"

Alina POS is also known as:

alina_eagle
alina_spark
katrina

Table 3018. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos
https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/
https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware—sparks—off-a-new-variant/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-1/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-2/
http://www.xylibox.com/2013/02/alina-34-pos-malware.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Casting-a-Shadow-on-POS/

AllaKore

AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.

The tag is: misp-galaxy:malpedia="AllaKore"

AllaKore is also known as:

Table 3019. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf
https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d
https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388
https://github.com/Anderson-D/AllaKore
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf
https://www.seqrite.com/blog/sidecopys-multi-platform-onslaught-leveraging-winrar-zero-day-and-linux-variant-of-ares-rat/
https://threatmon.io/the-anatomy-of-a-sidecopy-attack-from-rar-exploits-to-allakore-rat/
https://twitter.com/_re_fox/status/1212070711206064131
https://www.team-cymru.com/post/allakore-d-the-sidecopy-train
https://blog.talosintelligence.com/2021/07/sidecopy.html
https://www.seqrite.com/blog/umbrella-of-pakistani-threats-converging-tactics-of-cyber-operations-targeting-india/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt
https://www.seqrite.com/blog/pakistani-apts-escalate-attacks-on-indian-gov-seqrite-labs-unveils-threats-and-connections/

Allaple

The tag is: misp-galaxy:malpedia="Allaple"

Allaple is also known as:

Starman

Table 3020. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple
https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/
https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf

AllcomeClipper

Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.

The tag is: misp-galaxy:malpedia="AllcomeClipper"

AllcomeClipper is also known as:

Table 3021. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.allcomeclipper
https://bazaar.abuse.ch/browse/signature/AllcomeClipper/
https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums

Almanahe

The tag is: misp-galaxy:malpedia="Almanahe"

Almanahe is also known as:

Table 3022. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe
https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Alma Communicator

The tag is: misp-galaxy:malpedia="Alma Communicator"

Alma Communicator is also known as:

Table 3023. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/

AlmaLocker

The tag is: misp-galaxy:malpedia="AlmaLocker"

AlmaLocker is also known as:

Table 3024. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker

AlmondRAT

AlmondRAT is a .NET Remote Access Trojan deployed by the Bitter APT group. It is capable of collecting system information, modifying and exfiltrating data and allows for remote command execution.

The tag is: misp-galaxy:malpedia="AlmondRAT"

AlmondRAT is also known as:

Table 3025. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.almondrat
https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/

ALPC Local PrivEsc

The tag is: misp-galaxy:malpedia="ALPC Local PrivEsc"

ALPC Local PrivEsc is also known as:

Table 3026. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

Alphabet Ransomware

The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.

The virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.

The tag is: misp-galaxy:malpedia="Alphabet Ransomware"

Alphabet Ransomware is also known as:

Table 3027. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware
https://twitter.com/JaromirHorejsi/status/813714602466877440

AlphaLocker

A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.

AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware’s author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.

AlphaLocker’s encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user’s computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.

To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.

The tag is: misp-galaxy:malpedia="AlphaLocker"

AlphaLocker is also known as:

Table 3028. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker
https://web.archive.org/web/20200505071300/https://threatvector.cylance.com/en_us/home/an-introduction-to-alphalocker.html
https://blog.cylance.com/an-introduction-to-alphalocker

AlphaNC

The tag is: misp-galaxy:malpedia="AlphaNC"

AlphaNC is also known as:

Table 3029. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
https://www.secureworks.com/research/threat-profiles/nickel-gladstone

AlphaSeed

The tag is: misp-galaxy:malpedia="AlphaSeed"

AlphaSeed is also known as:

Table 3030. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphaseed
https://asec.ahnlab.com/en/60054/
https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2
https://medium.com/s2wblog/detailed-analysis-of-alphaseed-a-new-version-of-kimsukys-appleseed-written-in-golang-2c885cce352a

Alreay

Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.

It uses either RC4 or DES for encryption of its configuration, which is stored in the registry.

It sends detailed information about the victim’s environment, like computer name, Windows version, system locale, and network configuration.

It supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.

It comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).

Alreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.

The tag is: misp-galaxy:malpedia="Alreay"

Alreay is also known as:

Table 3031. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
https://securelist.com/lazarus-under-the-hood/77908/

Alureon

The tag is: misp-galaxy:malpedia="Alureon"

Alureon is also known as:

Olmarik
Pihar
TDL
TDSS
wowlik

Table 3032. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon
http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html
https://twitter.com/Sebdraven/status/1496878431719473155
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt
https://www.youtube.com/watch?v=FttiysUZmDw
https://archive.f-secure.com/weblog/archives/The_Case_ofTDL3.pdf
http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html
http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html
https://securelist.com/tdss/36314/
https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/
https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/

Amadey

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

The tag is: misp-galaxy:malpedia="Amadey"

Amadey is also known as:

Table 3033. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_config_extractor.ipynb
https://embeeresearch.io/shodan-censys-queries/
https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html
https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/
https://embee-research.ghost.io/amadey-bot-infrastructure/
https://twitter.com/ViriBack/status/1062405363457118210
https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/
https://www.vmray.com/cyber-security-blog/amadey-new-encoding-with-old-tricks/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-amadey-56c8c6ea0ad6
https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html
https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat
https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/
https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
https://embee-research.ghost.io/shodan-censys-queries/
https://twitter.com/0xffff0800/status/1062948406266642432
https://embeeresearch.io/redline-stealer-basic-static-analysis-and-c2-extraction/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey
https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://asec.ahnlab.com/en/36634/
https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/
https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_string_decryptor.py
https://www.linkedin.com/posts/idan-tarab-7a9057200_apt-ttps-coralraider-activity-7238998746254999553-57LG/
https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://asec.ahnlab.com/en/41450/
https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/
https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/
https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer
https://embee-research.ghost.io/combining-pivot-points-to-identify-malware-infrastructure-redline-smokeloader-and-cobalt-strike/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://isc.sans.edu/diary/27264
https://asec.ahnlab.com/en/44504/
https://asec.ahnlab.com/en/59590/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html
https://nao-sec.org/2019/04/Analyzing-amadey.html
https://www.anquanke.com/post/id/230116
https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become
https://any.run/cybersecurity-blog/crackedcantil-breakdown/
https://asec.ahnlab.com/en/40483/
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_1_kasuya_en.pdf
https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/
https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot

AMTsol

The tag is: misp-galaxy:malpedia="AMTsol"

AMTsol is also known as:

Adupihan

Table 3034. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol
https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/
http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

Anatova Ransomware

Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.

The tag is: misp-galaxy:malpedia="Anatova Ransomware"

Anatova Ransomware is also known as:

Table 3035. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom
https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/

Anchor

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

The tag is: misp-galaxy:malpedia="Anchor"

Anchor is also known as:

Table 3036. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor
https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/
https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html
https://isc.sans.edu/diary/27308
https://www.netscout.com/blog/asert/dropping-anchor
https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns
https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns
https://unit42.paloaltonetworks.com/ryuk-ransomware/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth
https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607
https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/

AnchorMail

The tag is: misp-galaxy:malpedia="AnchorMail"

AnchorMail is also known as:

ANCHOR.MAIL
Delegatz

Table 3037. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormail
https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/
https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/
https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine
https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/

AnchorMTea

Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.

The tag is: misp-galaxy:malpedia="AnchorMTea"

AnchorMTea is also known as:

Table 3038. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormtea
https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html
http://report.threatbook.cn/LS.pdf
https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/

Andardoor

The tag is: misp-galaxy:malpedia="Andardoor"

Andardoor is also known as:

ROCKHATCH

Table 3039. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor
https://asec.ahnlab.com/en/56405/
https://asec.ahnlab.com/ko/47751/
https://asec.ahnlab.com/ko/56256/

Andromeda

The tag is: misp-galaxy:malpedia="Andromeda"

Andromeda is also known as:

B106-Gamarue
B67-SS-Gamarue
Gamarue
b66

Table 3040. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda
https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation
http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/
http://blog.morphisec.com/andromeda-tactics-analyzed
https://blog.avast.com/andromeda-under-the-microscope
https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/
https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/
https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features
https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis
https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html
https://www.mandiant.com/resources/blog/turla-galaxy-opportunity
http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://redcanary.com/blog/intelligence-insights-november-2021/
https://eternal-todo.com/blog/andromeda-gamarue-loves-json
http://resources.infosecinstitute.com/andromeda-bot-analysis/
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/

AndroMut

According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

The tag is: misp-galaxy:malpedia="AndroMut"

AndroMut is also known as:

Gelup

Table 3041. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://intel471.com/blog/a-brief-history-of-ta505
https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

Anel

The tag is: misp-galaxy:malpedia="Anel"

Anel is also known as:

UPPERCUT
lena

Table 3042. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anel
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf

AnteFrigus

Ransomware that demands payment in Bitcoin.

The tag is: misp-galaxy:malpedia="AnteFrigus"

AnteFrigus is also known as:

Table 3043. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus
http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html
https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md

Antilam

The tag is: misp-galaxy:malpedia="Antilam"

Antilam is also known as:

Latinus

Table 3044. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam

Anubis (Windows)

According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.

The tag is: misp-galaxy:malpedia="Anubis (Windows)"

Anubis (Windows) is also known as:

Anubis Stealer

Table 3045. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis
https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
https://twitter.com/MsftSecIntel/status/1298752223321546754
https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145

Anubis Loader

A loader written in Go, tracked since at least October 2021 by ZeroFox. Originally named Kraken and rebranded to Anubis in February 2022.

The tag is: misp-galaxy:malpedia="Anubis Loader"

Anubis Loader is also known as:

Kraken
Pepega

Table 3046. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis_loader
https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/
https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/
https://windowsreport.com/kraken-botnet/
https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/
https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e

APERETIF

The tag is: misp-galaxy:malpedia="APERETIF"

APERETIF is also known as:

Table 3047. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif
https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/

Apocalipto

The tag is: misp-galaxy:malpedia="Apocalipto"

Apocalipto is also known as:

Table 3048. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto
https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf

Apocalypse

The tag is: misp-galaxy:malpedia="Apocalypse"

Apocalypse is also known as:

Table 3049. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom
http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/

Apollo

This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.

The tag is: misp-galaxy:malpedia="Apollo"

Apollo is also known as:

Table 3050. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apollo
https://github.com/MythicAgents/Apollo

Apostle

Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.

The tag is: misp-galaxy:malpedia="Apostle"

Apostle is also known as:

Table 3051. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/
https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf
https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/
https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/
https://assets.sentinelone.com/sentinellabs/evol-agrius

AppleJeus (Windows)

The tag is: misp-galaxy:malpedia="AppleJeus (Windows)"

AppleJeus (Windows) is also known as:

Table 3052. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment
https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html
https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d
https://www.telsy.com/download/5394/?uid=28b0a4577e
https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
https://vblocalhost.com/uploads/VB2021-Park.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://twitter.com/VK_Intel/status/1182730637016481793
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f

Appleseed

The tag is: misp-galaxy:malpedia="Appleseed"

Appleseed is also known as:

JamBog

Table 3053. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed
https://asec.ahnlab.com/en/30532/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf
https://asec.ahnlab.com/ko/26705/
https://asec.ahnlab.com/en/36368/
https://www.youtube.com/watch?v=Dv2_DK3tRgI
https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf
https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf
https://asec.ahnlab.com/ko/36918/
https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf
https://asec.ahnlab.com/en/59590/
https://asec.ahnlab.com/en/41015/
https://www.youtube.com/watch?v=rfzmHjZX70s
https://www.telsy.com/download/5654/?uid=4869868efd
https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2
https://asec.ahnlab.com/ko/54804/
https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf
https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/
https://asec.ahnlab.com/en/60054/
https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

ArdaMax

According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product’s website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.

This program can be configured to a complete stealth mode, with password protection, to avoid user detection.

The information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).

The tag is: misp-galaxy:malpedia="ArdaMax"

ArdaMax is also known as:

Table 3054. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576

Arefty

The tag is: misp-galaxy:malpedia="Arefty"

Arefty is also known as:

Table 3055. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/

Ares (Windows)

A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.

The tag is: misp-galaxy:malpedia="Ares (Windows)"

Ares (Windows) is also known as:

Table 3056. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ares
https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga
https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan

AresLoader

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

Written in C/C++
Supports 64-bit payloads
Makes it look like malware spawned by another process
Prevents non-Microsoft signed binaries from being injected into malware
Hides suspicious imported Windows APIs
Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.

The tag is: misp-galaxy:malpedia="AresLoader"

AresLoader is also known as:

Table 3057. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader
https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/
https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html
https://flashpoint.io/blog/private-malware-for-sale-aresloader/
https://twitter.com/k3dg3/status/1636873721200746496
https://intel471.com/blog/new-loader-on-the-bloc-aresloader

ArguePatch

During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called "ArguePatch" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray’s Remote Debugger Server (win32_remote.exe). ArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.

The tag is: misp-galaxy:malpedia="ArguePatch"

ArguePatch is also known as:

Table 3058. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch
https://www.mandiant.com/resources/blog/gru-rise-telegram-minions
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Aria-body

The tag is: misp-galaxy:malpedia="Aria-body"

Aria-body is also known as:

Table 3059. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody
https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1
https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf
https://securelist.com/it-threat-evolution-q2-2020/98230
https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html
https://securelist.com/naikons-aria/96899/

Arid Gopher

This malware is a Go written variant of Micropsia and according to DeepInstinct it is still in development.

The tag is: misp-galaxy:malpedia="Arid Gopher"

Arid Gopher is also known as:

Table 3060. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher
https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/
https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks

AridHelper

Helper malware associated with AridGopher, which will provide an alternative persistence mechanism in case "360 total security" is found on a target system.

The tag is: misp-galaxy:malpedia="AridHelper"

AridHelper is also known as:

Table 3061. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aridhelper
https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant

Arik Keylogger

The tag is: misp-galaxy:malpedia="Arik Keylogger"

Arik Keylogger is also known as:

Aaron Keylogger

Table 3062. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger
http://remote-keylogger.net/

Arkei Stealer

Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker’s panel. Later, it was forked and used as a base to create Vidar stealer.

The tag is: misp-galaxy:malpedia="Arkei Stealer"

Arkei Stealer is also known as:

ArkeiStealer

Table 3063. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer
https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/
https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/
https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets
https://isc.sans.edu/diary/rss/28468
https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer
https://drive.google.com/file/d/1wTH-BZrjxEBZwCnXJ3pQWGB7ou0IoBEr/view
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://threatmon.io/arkei-stealer-analysis-threatmon/
https://m4lcode.github.io/malware%20analysis/vidar/
https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/
https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://ke-la.com/information-stealers-a-new-landscape/

ArrowRAT

It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.

The tag is: misp-galaxy:malpedia="ArrowRAT"

ArrowRAT is also known as:

Table 3064. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat
https://www.arrowrat.com

ARS VBS Loader

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

The tag is: misp-galaxy:malpedia="ARS VBS Loader"

ARS VBS Loader is also known as:

Table 3065. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader
https://twitter.com/Racco42/status/1001374490339790849
https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/
https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/

ARTFULPIE

The tag is: misp-galaxy:malpedia="ARTFULPIE"

ARTFULPIE is also known as:

Table 3066. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie
https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/

Artra Downloader

The tag is: misp-galaxy:malpedia="Artra Downloader"

Artra Downloader is also known as:

Table 3067. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.artra
https://securelist.com/apt-trends-report-q1-2021/101967/
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english
https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf
https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html
https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/
https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
https://www.freebuf.com/articles/database/192726.html

Asbit

The tag is: misp-galaxy:malpedia="Asbit"

Asbit is also known as:

Table 3068. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asbit
https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan

AscentLoader

The tag is: misp-galaxy:malpedia="AscentLoader"

AscentLoader is also known as:

Table 3069. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader

ASPC

The tag is: misp-galaxy:malpedia="ASPC"

ASPC is also known as:

Table 3070. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc

Asprox

The tag is: misp-galaxy:malpedia="Asprox"

Asprox is also known as:

Aseljo
BadSrc

Table 3071. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox
https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/
https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign
http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/

Asruex

The tag is: misp-galaxy:malpedia="Asruex"

Asruex is also known as:

Table 3072. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/

Astaroth

First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.

The tag is: misp-galaxy:malpedia="Astaroth"

Astaroth is also known as:

Guildma

Table 3073. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth
https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf
https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962
https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/
https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://isc.sans.edu/diary/27482
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.talosintelligence.com/2020/05/astaroth-analysis.html
https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/
https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.easysol.net/meet-lucifer-international-trojan/
https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/
https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/

Astasia

Astasia is a banking trojan that spreads through phishing emails that contain an executable attachment. Once the attachment is executed, Astasia downloads and installs a trojan that runs in the background. The trojan can steal personal information, such as passwords and credit card numbers, from victims.

The tag is: misp-galaxy:malpedia="Astasia"

Astasia is also known as:

Table 3074. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.astasia
https://twitter.com/MalGamy12/status/1690100567756906497

AstraLocker

The tag is: misp-galaxy:malpedia="AstraLocker"

AstraLocker is also known as:

Table 3075. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker
https://blog.malwarebytes.com/ransomware/2022/07/astralocker-2-0-ransomware-isnt-going-to-give-you-your-files-back/
https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs
https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/
https://www.emsisoft.com/ransomware-decryption-tools/astralocker

AsyncRAT

AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.

The tag is: misp-galaxy:malpedia="AsyncRAT"

AsyncRAT is also known as:

Table 3076. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols
https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser
https://cocomelonc.github.io/book/2023/12/13/malwild-book.html
https://community.riskiq.com/article/ade260c6
https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers
https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services
https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/
https://threatpost.com/ta2541-apt-rats-aviation/178422/
https://labs.k7computing.com/?p=21759
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://blog.morphisec.com/syk-crypter-discord
https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat
https://lab52.io/blog/apt-c-36-from-njrat-to-apt-c-36/
https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/
https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/
https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection
https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf
https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service
https://embee-research.ghost.io/unpacking-malware-using-process-hacker-and-memory-inspection/
https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/
https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/
https://www.linkedin.com/feed/update/urn:li:activity:7252248385007603713/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/
https://embee-research.ghost.io/shodan-censys-queries/
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/
https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns
https://twitter.com/ESETresearch/status/1449132020613922828
https://blog.cyber5w.com/analyzing-macro-enabled-office-documents
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign
https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html
https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/
https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader
https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html
https://twitter.com/vxunderground/status/1519632014361640960
https://axmahr.github.io/posts/asyncrat-detection/
https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware
https://embeeresearch.io/shodan-censys-queries/
https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat
https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/
https://blog.netlab.360.com/purecrypter
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/
https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
https://aidenmitchell.ca/asyncrat-via-vbs/
https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html
https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4
https://twitter.com/MsftSecIntel/status/1392219299696152578
https://community.riskiq.com/article/24759ad2
https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia
https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel
https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html
https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html
https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/
https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/
https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise
https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf
https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.linkedin.com/feed/update/urn:li:activity:7137086303329783808/
https://github.com/jeFF0Falltrades/rat_king_parser
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_9_takeda_furukawa_en.pdf
https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html
https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html
https://embeeresearch.io/unpacking-net-malware-with-process-hacker/
https://www.esentire.com/blog/asyncrat-activity
https://assets.virustotal.com/reports/2021trends.pdf
https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/
https://embee-research.ghost.io/unpacking-net-malware-with-process-hacker/
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies
https://www.secureworks.com/research/darktortilla-malware-analysis
https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://eln0ty.github.io/malware%20analysis/asyncRAT/
https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html
https://dfir.ch/posts/asyncrat_quasarrat/
https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper
https://embeeresearch.io/unpacking-malware-using-process-hacker-and-memory-inspection/
https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique
https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://cybersecurity.att.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno
https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/
https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/
https://community.riskiq.com/article/3929ede0/description

Atharvan

The tag is: misp-galaxy:malpedia="Atharvan"

Atharvan is also known as:

Table 3077. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research

Athena

Part of the Mythic framework, payload in C# (.NET 6), support HTTP, Websockets, Slack, SMB for C2.

The tag is: misp-galaxy:malpedia="Athena"

Athena is also known as:

Table 3078. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.athena
https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/

AthenaGo RAT

The tag is: misp-galaxy:malpedia="AthenaGo RAT"

AthenaGo RAT is also known as:

Table 3079. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago

ATI-Agent

The tag is: misp-galaxy:malpedia="ATI-Agent"

ATI-Agent is also known as:

Table 3080. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Atlantida

The tag is: misp-galaxy:malpedia="Atlantida"

Atlantida is also known as:

Table 3081. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atlantida
https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/
https://research.checkpoint.com/2024/stargazers-ghost-network/

AtlasAgent

The tag is: misp-galaxy:malpedia="AtlasAgent"

AtlasAgent is also known as:

Table 3082. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atlas_agent
https://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/

ATMii

The tag is: misp-galaxy:malpedia="ATMii"

ATMii is also known as:

Table 3083. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii
https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/

ATMitch

The tag is: misp-galaxy:malpedia="ATMitch"

ATMitch is also known as:

Table 3084. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch
https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/

Atmosphere

The tag is: misp-galaxy:malpedia="Atmosphere"

Atmosphere is also known as:

Table 3085. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere
https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/
https://www.group-ib.com/resources/threat-research/silence.html

ATMSpitter

The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

The tag is: misp-galaxy:malpedia="ATMSpitter"

ATMSpitter is also known as:

Table 3086. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf
https://www.secureworks.com/research/threat-profiles/gold-kingswood

ATOMSILO

According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the ".ATOMSILO" to its filename. It renames "1.jpg" to "1.jpg.ATOMSILO", "2.jpg" to "2.jpg.ATOMSILO", and so on. As its ransom note, AtomSilo creates the "README-FILE-COMPUTER-NAME-CREATION-TIME.hta" file.

The tag is: misp-galaxy:malpedia="ATOMSILO"

ATOMSILO is also known as:

Table 3087. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://twitter.com/siri_urz/status/1437664046556274694?s=20
https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader
https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/

Attor

Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim’s screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

The tag is: misp-galaxy:malpedia="Attor"

Attor is also known as:

Table 3088. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.attor
https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami
https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html
https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf
https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/
https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform
https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/
https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html

August Stealer

The tag is: misp-galaxy:malpedia="August Stealer"

August Stealer is also known as:

Table 3089. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer
https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene
https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html

AuKill

According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

The tag is: misp-galaxy:malpedia="AuKill"

AuKill is also known as:

SophosKill

Table 3090. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

Auriga

The tag is: misp-galaxy:malpedia="Auriga"

Auriga is also known as:

Riodrv

Table 3091. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Aurora

Ransomware

The tag is: misp-galaxy:malpedia="Aurora"

Aurora is also known as:

OneKeyLocker

Table 3092. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora
https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://blog.morphisec.com/in2al5d-p3in4er
https://twitter.com/malwrhunterteam/status/1001461507513880576

Aurora Stealer

First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.

The tag is: misp-galaxy:malpedia="Aurora Stealer"

Aurora Stealer is also known as:

Table 3093. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer
https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/
https://d01a.github.io/aurora-stealer-builder/
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://isc.sans.edu/diary/rss/29448
https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html
https://d01a.github.io/aurora-stealer/
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer
https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/
https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219

Avaddon

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

The tag is: misp-galaxy:malpedia="Avaddon"

Avaddon is also known as:

Table 3094. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/
https://www.tgsoft.it/files/report/download.asp?id=568531345
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.connectwise.com/resources/avaddon-profile
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/
https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis
https://arxiv.org/pdf/2102.04796.pdf
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf
https://www.swascan.com/it/avaddon-ransomware/
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire
https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/
https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/
https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/
https://www.mandiant.com/resources/chasing-avaddon-ransomware
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf
https://twitter.com/dk_samper/status/1348560784285167617
https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html
https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/
https://twitter.com/Securityinbits/status/1271065316903120902

AvastDisabler

The tag is: misp-galaxy:malpedia="AvastDisabler"

AvastDisabler is also known as:

Table 3095. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler
https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/

AVCrypt

Bleeping Computer notes about discovery of AVCrypt, a malware that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.

The tag is: misp-galaxy:malpedia="AVCrypt"

AVCrypt is also known as:

Table 3096. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt
https://twitter.com/malwrhunterteam/status/976925447043846145
https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/

AvD Crypto Stealer

Cyble Research discovered this .Net written malware dubbed "AvD Crypto Stealer". The name of this malware is misleading, because this is a kind of clipper malware. Assumption of Cyble is, that this malware could target other threat actors as scenario.

The tag is: misp-galaxy:malpedia="AvD Crypto Stealer"

AvD Crypto Stealer is also known as:

Table 3097. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avd
https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/

Aveo

The tag is: misp-galaxy:malpedia="Aveo"

Aveo is also known as:

Table 3098. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/

Ave Maria

Information stealer which uses AutoIT for wrapping.

The tag is: misp-galaxy:malpedia="Ave Maria"

Ave Maria is also known as:

AVE_MARIA
AveMariaRAT
Warzone RAT
WarzoneRAT
avemaria

Table 3099. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/
https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies
https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf
https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
https://reaqta.com/2019/04/ave_maria-malware-part1/
https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1
https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf
https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw
https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.youtube.com/watch?v=81fdvmGmRvM
https://muha2xmad.github.io/malware-analysis/warzonerat/
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html
https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery
https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://www.bleepingcomputer.com/news/security/fbi-seizes-warzone-rat-infrastructure-arrests-malware-vendor/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://blog.morphisec.com/syk-crypter-discord
https://www.youtube.com/watch?v=T0tdj1WDioM
https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://blog.yoroi.company/research/the-ave_maria-malware/
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://www.justice.gov/opa/pr/international-cybercrime-malware-service-dismantled-federal-authorities-key-malware-sales
https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/
https://blog.talosintelligence.com/attributing-yorotrooper/
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord
https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique
https://www.youtube.com/watch?v=-G82xh9m4hc
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://blog.cyber5w.com/analyzing-macro-enabled-office-documents
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest
https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/
https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/
https://www.europol.europa.eu/media-press/newsroom/news/international-cybercrime-malware-service-targeting-thousands-of-unsuspecting-consumers-dismantled
https://asec.ahnlab.com/en/36629/
https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/warzonerat/warzonerat_config_extraction.ipynb

AvosLocker

AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.

In March 2022, the FBI and US Treasury Department issued a warning about the attacks.

The tag is: misp-galaxy:malpedia="AvosLocker"

AvosLocker is also known as:

Table 3100. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux
https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/
https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf
https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
https://www.ic3.gov/Media/News/2022/220318.pdf
https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/
https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group

Unidentified 061 (Windows)

Was previously wrongly tagged as PoweliksDropper, now looking for additional context.

The tag is: misp-galaxy:malpedia="Unidentified 061 (Windows)"

Unidentified 061 (Windows) is also known as:

Table 3101. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon

Avzhan

The tag is: misp-galaxy:malpedia="Avzhan"

Avzhan is also known as:

Table 3102. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan
https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/

AXLocker

The tag is: misp-galaxy:malpedia="AXLocker"

AXLocker is also known as:

Table 3103. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.axlocker
https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/

Ayegent

The tag is: misp-galaxy:malpedia="Ayegent"

Ayegent is also known as:

Table 3104. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent

Aytoke

Keylogger.

The tag is: misp-galaxy:malpedia="Aytoke"

Aytoke is also known as:

Table 3105. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke
https://snort.org/rule_docs/1-34217
https://www.youtube.com/watch?v=FttiysUZmDw

Azorult

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

The tag is: misp-galaxy:malpedia="Azorult"

Azorult is also known as:

PuffStealer
Rultazo

Table 3106. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult
https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html
https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf
https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/
https://community.riskiq.com/article/56e28880
https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update
https://unit42.paloaltonetworks.com/cybersquatting/
https://isc.sans.edu/diary/25120
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/
https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign
https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/
https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/
https://www.youtube.com/watch?v=EyDiIAtdI
https://twitter.com/DrStache_/status/1227662001247268864
https://ke-la.com/information-stealers-a-new-landscape/
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf
https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html
https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html
https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside
https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d
https://asec.ahnlab.com/en/26517/
https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/
https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/
https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html
https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://securelist.com/azorult-analysis-history/89922/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/
https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html
https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/
https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/
https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
https://any.run/cybersecurity-blog/azorult-malware-analysis/
https://community.riskiq.com/article/2a36a7d2/description
https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145
https://fr3d.hk/blog/gazorp-thieving-from-thieves
https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/
https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05
http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html

Azov Wiper

According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.

The tag is: misp-galaxy:malpedia="Azov Wiper"

Azov Wiper is also known as:

Table 3107. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper
https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/
https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper
https://twitter.com/CPResearch/status/1587837524604465153

Babadeda

According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.

The tag is: misp-galaxy:malpedia="Babadeda"

Babadeda is also known as:

Table 3108. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda
https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities

Babar

The tag is: misp-galaxy:malpedia="Babar"

Babar is also known as:

SNOWBALL

Table 3109. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babar
http://www.spiegel.de/media/media-35683.pdf
https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/
https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/
https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope
https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/

Babuk (Windows)

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

The tag is: misp-galaxy:malpedia="Babuk (Windows)"

Babuk (Windows) is also known as:

Babyk
Vasa Locker

Table 3110. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html
https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html
https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/
https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/
https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/
https://cocomelonc.github.io/book/2023/12/13/malwild-book.html
https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/
https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/
https://www.fr.sogeti.com/globalassets/france/avis-dexperts—livres-blancs/cybersecchronicles-_babuk.pdf
https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/
https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/
https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/
https://securelist.com/ransomware-world-in-2021/102169/
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62
https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings
https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt
https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://blog.morphisec.com/babuk-ransomware-variant-major-attack
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://twitter.com/GossiTheDog/status/1409117153182224386
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://twitter.com/Sebdraven/status/1346377590525845504
https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/
https://decoded.avast.io/threatresearch/avast-updates-babuk-ransomware-decryptor-in-cooperation-with-cisco-talos-and-dutch-police/
https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/
https://killingthebear.jorgetesta.tech/actors/evil-corp
https://github.com/EmissarySpider/ransomware-descendants
https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/
https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d
https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/
https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f
https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf
https://resources.prodaft.com/wazawaka-report
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html
https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf
https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/
https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/
https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/
https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf

BabyLon RAT

The tag is: misp-galaxy:malpedia="BabyLon RAT"

BabyLon RAT is also known as:

Table 3111. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat
https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/
https://twitter.com/KorbenD_Intel/status/1110654679980085262

BABYMETAL

BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.

The tag is: misp-galaxy:malpedia="BABYMETAL"

BABYMETAL is also known as:

Table 3112. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
https://www.infosecurityeurope.com/novadocuments/367989?v=636338290033030000
https://www.mandiant.com/resources/evolution-of-fin7

BabyShark

BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

The tag is: misp-galaxy:malpedia="BabyShark"

BabyShark is also known as:

LATEOP

Table 3113. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark
https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood
https://www.youtube.com/watch?v=Dv2_DK3tRgI
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html
https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-301a
https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://www.youtube.com/watch?v=rfzmHjZX70s
https://twitter.com/i/web/status/1099147896950185985
https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark
https://blog.alyac.co.kr/3352
https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/
https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1

Bachosens

The tag is: misp-galaxy:malpedia="Bachosens"

Bachosens is also known as:

Table 3114. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens
https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a

BACKBEND

FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.

The tag is: misp-galaxy:malpedia="BACKBEND"

BACKBEND is also known as:

Table 3115. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

BackConfig

The tag is: misp-galaxy:malpedia="BackConfig"

BackConfig is also known as:

Table 3116. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig
https://unit42.paloaltonetworks.com/atoms/thirstygemini/
https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/

BackNet

The tag is: misp-galaxy:malpedia="BackNet"

BackNet is also known as:

Table 3117. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet
https://github.com/valsov/BackNet

Backoff POS

The tag is: misp-galaxy:malpedia="Backoff POS"

Backoff POS is also known as:

Table 3118. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff
https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/

backspace

The tag is: misp-galaxy:malpedia="backspace"

backspace is also known as:

Lecna
ZRLnk

Table 3119. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace
https://www.secureworks.com/research/threat-profiles/bronze-geneva
https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/

BackSwap

The tag is: misp-galaxy:malpedia="BackSwap"

BackSwap is also known as:

Table 3120. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap
https://www.cert.pl/en/news/single/backswap-malware-analysis/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/
https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/
https://research.checkpoint.com/the-evolution-of-backswap/
https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf
https://explore.group-ib.com/htct/hi-tech_crime_2018
https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi

BADCALL (Windows)

The tag is: misp-galaxy:malpedia="BADCALL (Windows)"

BADCALL (Windows) is also known as:

Table 3121. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall
https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.us-cert.gov/ncas/analysis-reports/ar19-252a

BadEncript

The tag is: misp-galaxy:malpedia="BadEncript"

BadEncript is also known as:

Table 3122. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript
https://twitter.com/PhysicalDrive0/status/833067081981710336

badflick

BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.

The tag is: misp-galaxy:malpedia="badflick"

badflick is also known as:

Table 3123. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick
https://blog.amossys.fr/badflick-is-not-so-bad.html
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

BADHATCH

The tag is: misp-galaxy:malpedia="BADHATCH"

BADHATCH is also known as:

Table 3124. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch
https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/
https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf
https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/

BadNews

The tag is: misp-galaxy:malpedia="BadNews"

BadNews is also known as:

Table 3125. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1
https://securelist.com/apt-trends-report-q1-2021/101967/
https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
https://lab52.io/blog/new-patchwork-campaign-against-pakistan/
https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait
https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign
https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf
https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

Bagle

The tag is: misp-galaxy:malpedia="Bagle"

Bagle is also known as:

Table 3126. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle
https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf

Bahamut (Windows)

The tag is: misp-galaxy:malpedia="Bahamut (Windows)"

Bahamut (Windows) is also known as:

Table 3127. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/

Baldr

The tag is: misp-galaxy:malpedia="Baldr"

Baldr is also known as:

Baldir

Table 3128. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr
https://www.youtube.com/watch?v=E2V4kB_gtcQ
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf
https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/
https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/

BalkanDoor

According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.

The tag is: misp-galaxy:malpedia="BalkanDoor"

BalkanDoor is also known as:

Table 3129. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door
https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

BalkanRAT

The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250).

The tag is: misp-galaxy:malpedia="BalkanRAT"

BalkanRAT is also known as:

Table 3130. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat
https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

Bamital

The tag is: misp-galaxy:malpedia="Bamital"

Bamital is also known as:

Table 3131. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf
https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/

Banatrix

The tag is: misp-galaxy:malpedia="Banatrix"

Banatrix is also known as:

Table 3132. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix
https://www.cert.pl/en/news/single/banatrix-an-indepth-look/

bancos

The tag is: misp-galaxy:malpedia="bancos"

bancos is also known as:

Table 3133. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos
https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil

Bandit Stealer

The tag is: misp-galaxy:malpedia="Bandit Stealer"

Bandit Stealer is also known as:

Table 3134. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bandit
https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html
https://research.openanalysis.net/garble/go/obfuscation/strings/2023/08/03/garble.html
https://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html
https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure
https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer
https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware

Bandook

Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.

The tag is: misp-galaxy:malpedia="Bandook"

Bandook is also known as:

Bandok

Table 3135. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook

MISP Galaxy Clusters