Introduction

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.
MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.
Funding and Support
The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .
A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.
If you are interested to co-fund projects around MISP, feel free to get in touch with us.
MISP galaxy
360.net Threat Actors
Known or estimated adversary groups as identified by 360.net..
360.net Threat Actors is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
360.net
CIA - APT-C-39
APT-C-39是一个来自美国,与NSA存在联系,系属于CIA的高规格,高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击
The tag is: misp-galaxy:360net-threat-actor="CIA - APT-C-39"
CIA - APT-C-39 is also known as:
Links |
海莲花 - APT-C-00
海莲花(OceanLotus)APT团伙是一个高度组织化的、专业化的境外国家级黑客组织,其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。
The tag is: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00"
海莲花 - APT-C-00 is also known as:
-
OceanLotus
海莲花 - APT-C-00 has relationships with:
-
similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT32 - G0050" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Canvas Cyclone" with estimative-language:likelihood-probability="likely"
Links |
摩诃草 - APT-C-09
摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自南亚地区的境外APT组织,该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动,但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击,相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。
The tag is: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09"
摩诃草 - APT-C-09 is also known as:
-
HangOver
-
VICEROY TIGER
-
The Dropping Elephant
-
Patchwork
摩诃草 - APT-C-09 has relationships with:
-
similar: misp-galaxy:threat-actor="VICEROY TIGER" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:threat-actor="QUILTED TIGER" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="likely"
Links |
黄金鼠 - APT-C-27
从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台,截至目前我们一共捕获了Android平台攻击样本29个,Windows平台攻击样本55个,涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠,主要是考虑了以下几方面的因素:一是该组织在攻击过程中使用了大量的资源,说明该攻击组织资源丰富,而黄金鼠有长期在野外囤积粮食的习惯,字面上也有丰富的含义;二、该攻击组织通常是间隔一段时间出来攻击一次,这跟鼠有相通的地方;三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。
The tag is: misp-galaxy:360net-threat-actor="黄金鼠 - APT-C-27"
黄金鼠 - APT-C-27 is also known as:
Links |
Lazarus - APT-C-26
Lazarus组织是疑似来自朝鲜的APT组织,该组织长期对韩国、美国进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示,Lazarus组织与2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。
The tag is: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26"
Lazarus - APT-C-26 is also known as:
-
APT38
Lazarus - APT-C-26 has relationships with:
-
similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT38 - G0082" with estimative-language:likelihood-probability="likely"
Links |
黄金雕 - APT-C-34
黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克斯坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)。
The tag is: misp-galaxy:360net-threat-actor="黄金雕 - APT-C-34"
黄金雕 - APT-C-34 is also known as:
Links |
盲眼鹰 - APT-C-36
从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows,攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所,而哥伦比亚在足球领域又被称为南美雄鹰,结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则,我们将该组织命名为盲眼鹰(APT-C-36)。
The tag is: misp-galaxy:360net-threat-actor="盲眼鹰 - APT-C-36"
盲眼鹰 - APT-C-36 is also known as:
Links |
毒针 - APT-C-31
2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。
The tag is: misp-galaxy:360net-threat-actor="毒针 - APT-C-31"
毒针 - APT-C-31 is also known as:
Links |
ArmaRat - APT-C-33
2016年7月,360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马,入侵成功后攻击者可以完全控制用户手机,并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字,所以我们将该组织命名为“ArmaRat”。
The tag is: misp-galaxy:360net-threat-actor="ArmaRat - APT-C-33"
ArmaRat - APT-C-33 is also known as:
Links |
军刀狮 - APT-C-38
从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。
The tag is: misp-galaxy:360net-threat-actor="军刀狮 - APT-C-38"
军刀狮 - APT-C-38 is also known as:
Links |
拍拍熊 - APT-C-37
拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。
The tag is: misp-galaxy:360net-threat-actor="拍拍熊 - APT-C-37"
拍拍熊 - APT-C-37 is also known as:
Links |
人面狮 - APT-C-15
人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。
The tag is: misp-galaxy:360net-threat-actor="人面狮 - APT-C-15"
人面狮 - APT-C-15 is also known as:
Links |
美人鱼 - APT-C-07
美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。
The tag is: misp-galaxy:360net-threat-actor="美人鱼 - APT-C-07"
美人鱼 - APT-C-07 is also known as:
Links |
双尾蝎 - APT-C-23
2016年5月起至今,双尾蝎组织(APT-C-23)对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android,攻击范围主要为中东地区,截至目前我们一共捕获了Android样本24个,Windows样本19个,涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎,主要是考虑了以下几方面的因素:一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家,这种情况在以往并不多见;二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子,如海莲花,但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台,并且在Android平台上攻击如此活跃的APT组织,在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。
The tag is: misp-galaxy:360net-threat-actor="双尾蝎 - APT-C-23"
双尾蝎 - APT-C-23 is also known as:
Links |
蓝宝菇 - APT-C-12
从2011年开始持续至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。
The tag is: misp-galaxy:360net-threat-actor="蓝宝菇 - APT-C-12"
蓝宝菇 - APT-C-12 is also known as:
-
核危机行动(Operation NuclearCrisis)
Links |
毒云藤 - APT-C-01
APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。
The tag is: misp-galaxy:360net-threat-actor="毒云藤 - APT-C-01"
毒云藤 - APT-C-01 is also known as:
-
穷奇
-
白海豚
-
绿斑
Links |
Darkhotel - APT-C-06
Darkhotel(APT-C-06)是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel(暗黑客栈),是因为他们的一次攻击行动被曝光,主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。
The tag is: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06"
Darkhotel - APT-C-06 is also known as:
-
Luder
-
Karba
-
Tapaoux
-
Dubnium
-
SIG25
Darkhotel - APT-C-06 has relationships with:
-
similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Darkhotel - G0012" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="DUBNIUM" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Zigzag Hail" with estimative-language:likelihood-probability="likely"
Links |
奇幻熊 - APT-C-20
APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞,相关恶意代码除了针对windows、Linux等PC操作系统,还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动,用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关,而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。
The tag is: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20"
奇幻熊 - APT-C-20 is also known as:
-
APT28
-
Pawn Storm
-
Sofacy Group
-
Sednit
-
Fancy Bear
-
STRONTIUM
奇幻熊 - APT-C-20 has relationships with:
-
similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Forest Blizzard" with estimative-language:likelihood-probability="likely"
Links |
沙虫 - APT-C-13
沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动,还针对SCADA系统进行了攻击,研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明,针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话,那有可能幕后会关联到沙虫组织。
The tag is: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13"
沙虫 - APT-C-13 is also known as:
-
SandWorm
沙虫 - APT-C-13 has relationships with:
-
similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Seashell Blizzard" with estimative-language:likelihood-probability="likely"
Links |
肚脑虫 - APT-C-35
APT-C-35(肚脑虫)组织,又称Donot,是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光,随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月,至今活跃,攻击方式主要采用鱼叉邮件进行攻击。
The tag is: misp-galaxy:360net-threat-actor="肚脑虫 - APT-C-35"
肚脑虫 - APT-C-35 is also known as:
-
Donot
Links |
蔓灵花 - APT-C-08
蔓灵花组织利用鱼叉邮件以及系统漏洞等方式,主要攻击政府、电力和工业相关单位,以窃取敏感信息为主。国外样本最早出现在2013年11月,样本编译时间集中出现在2015年7月至2016年9月期间,2016年网络安全公司Forcepoint最早报告了这一组织,随后被多次发现,至今还非常活跃。
The tag is: misp-galaxy:360net-threat-actor="蔓灵花 - APT-C-08"
蔓灵花 - APT-C-08 is also known as:
Links |
索伦之眼 - APT-C-16
索伦之眼组织(APT-C-16),又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年,至今还非常活跃。该组织整个攻击过程中是高度隐蔽,且针对性极强,对特定目标采用定制的恶意程序或通信设施,不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式(Equation)媲美,其综合能力不弱于震网(Stuxnet)、火焰(Flame)等APT组织。
The tag is: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16"
索伦之眼 - APT-C-16 is also known as:
-
Sauron
-
Strider
索伦之眼 - APT-C-16 has relationships with:
-
similar: misp-galaxy:threat-actor="ProjectSauron" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Strider - G0041" with estimative-language:likelihood-probability="likely"
Links |
潜行者 - APT-C-30
潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。
The tag is: misp-galaxy:360net-threat-actor="潜行者 - APT-C-30"
潜行者 - APT-C-30 is also known as:
Links |
响尾蛇 - APT-C-24
APT-C-24又名Sidewinder、Rattlesnake等,是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标,主要攻击该国家/地区的政府、军事、外交等领域,最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初,该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击,通过近年来对该组织的追踪发现,Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标,因此需要更加地警惕小心。
The tag is: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24"
响尾蛇 - APT-C-24 is also known as:
-
SideWinder
响尾蛇 - APT-C-24 has relationships with:
-
similar: misp-galaxy:threat-actor="RAZOR TIGER" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Sidewinder - G0121" with estimative-language:likelihood-probability="likely"
Links |
ScarCruft - APT-C-28
APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光,随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。
The tag is: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28"
ScarCruft - APT-C-28 is also known as:
-
APT37(Reaper)
-
Group123
ScarCruft - APT-C-28 has relationships with:
-
similar: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT37 - G0067" with estimative-language:likelihood-probability="likely"
Links |
Turla - APT-C-29
Turla Group又名Waterbug、Venomous Bear、Group 88等,是具有俄罗斯背景的APT组织,至少从1996年就开始活跃,2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家,攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域,因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。
The tag is: misp-galaxy:360net-threat-actor="Turla - APT-C-29"
Turla - APT-C-29 is also known as:
-
Turla, Waterbug, Venomous Bear, Group 88
Links |
Carbanak - APT-C-11
Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。
The tag is: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11"
Carbanak - APT-C-11 is also known as:
-
Anunak
Carbanak - APT-C-11 has relationships with:
-
similar: misp-galaxy:mitre-intrusion-set="Carbanak - G0008" with estimative-language:likelihood-probability="likely"
Links |
飞鲨 - APT-C-17
APT-C-17是360发现的一起APT攻击,我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。
The tag is: misp-galaxy:360net-threat-actor="飞鲨 - APT-C-17"
飞鲨 - APT-C-17 is also known as:
Links |
方程式 - APT-C-40
APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。
The tag is: misp-galaxy:360net-threat-actor="方程式 - APT-C-40"
方程式 - APT-C-40 is also known as:
Links |
透明部落 - APT-C-56
Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等,是具有巴基斯坦背景的APT组织,攻击活动影响范围较广,但主要攻击目标为印度国家的政府、军方等组织,此外为保障国家利益,巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现,近年来一直处于活跃状态。2020年初,利用有关印巴两国边境争端的诱饵文档,向印度政府组织、国防人员发起了鱼叉式网络攻击,也就是‘Honey Trap’行动,以此来窃取国家机密及敏感数据。
The tag is: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56"
透明部落 - APT-C-56 is also known as:
-
APT36
-
ProjectM
-
C-Major
透明部落 - APT-C-56 has relationships with:
-
similar: misp-galaxy:threat-actor="Operation C-Major" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Transparent Tribe - G0134" with estimative-language:likelihood-probability="likely"
Links |
腾云蛇 - APT-C-61
APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。
The tag is: misp-galaxy:360net-threat-actor="腾云蛇 - APT-C-61"
腾云蛇 - APT-C-61 is also known as:
Links |
Kimsuky - APT-C-55
Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃,常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。
The tag is: misp-galaxy:360net-threat-actor="Kimsuky - APT-C-55"
Kimsuky - APT-C-55 is also known as:
Links |
卢甘斯克组织 - APT-C-46
2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。
The tag is: misp-galaxy:360net-threat-actor="卢甘斯克组织 - APT-C-46"
卢甘斯克组织 - APT-C-46 is also known as:
-
APT-C-46
Links |
旺刺组织 - APT-C-47
近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动,通过360高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露APT组织的攻击行动,攻击目标涉及与半岛地区有关联的实体机构和个人,根据360安全大脑的数据分析显示,该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露,我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织,并为其分配了新编号APT-C-47。
The tag is: misp-galaxy:360net-threat-actor="旺刺组织 - APT-C-47"
旺刺组织 - APT-C-47 is also known as:
-
APT-C-47
Links |
DomesticKitten - APT-C-50
Domestic Kitten(Check Point),别名APT-C-50。最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括中东某国内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是,所有攻击目标都是中东某国公民。伊斯兰革命卫队(IRGC)、情报部、内政部等中东某国政府机构可能为该组织提供支持。
The tag is: misp-galaxy:360net-threat-actor="DomesticKitten - APT-C-50"
DomesticKitten - APT-C-50 is also known as:
-
APT-C-50
Links |
SandCat - APT-C-32
SandCat由卡巴斯基在2018年首次发现,该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力,曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。
The tag is: misp-galaxy:360net-threat-actor="SandCat - APT-C-32"
SandCat - APT-C-32 is also known as:
Links |
CNC - APT-C-48
该组织于2019年发现,因为样本的pdb路径中有cnc_client字符,所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业,窃取情报。在攻击过程中会尝试使用Nday,并且有能够开发GO语言木马的开发人员。
The tag is: misp-galaxy:360net-threat-actor="CNC - APT-C-48"
CNC - APT-C-48 is also known as:
Links |
蓝色魔眼 - APT-C-41
APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。
The tag is: misp-galaxy:360net-threat-actor="蓝色魔眼 - APT-C-41"
蓝色魔眼 - APT-C-41 is also known as:
Links |
Machete - APT-C-43
El Machete由卡巴斯基首次发现,最早的攻击可以追溯至2014年,主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark,通过对该后门的深入挖掘和溯源分析,我们发现了一系列从2019年起便一直活跃的高级威胁行动,攻击者通过入侵委内瑞拉的多处军事机构,部署后门病毒,不间断的监控和窃取最新的军事机密。
The tag is: misp-galaxy:360net-threat-actor="Machete - APT-C-43"
Machete - APT-C-43 is also known as:
-
Machete
Machete - APT-C-43 has relationships with:
-
similar: misp-galaxy:threat-actor="El Machete" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Machete - G0095" with estimative-language:likelihood-probability="likely"
Links |
Gamaredon - APT-C-53
Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha,至少从2013年就开始活跃,是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来,该组成员也不断升级其技战术,开发定制化的恶意软件,这也加大了安全人员对其进行捕获与追踪的难度。
The tag is: misp-galaxy:360net-threat-actor="Gamaredon - APT-C-53"
Gamaredon - APT-C-53 is also known as:
Links |
北非狐 - APT-C-44
北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。
The tag is: misp-galaxy:360net-threat-actor="北非狐 - APT-C-44"
北非狐 - APT-C-44 is also known as:
Links |
WellMess - APT-C-42
WELLMESS组织是一个较新的俄语系境外APT组织,最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击,并且曾进行过超两年的供应链攻击,同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位,以窃取文件为主。
The tag is: misp-galaxy:360net-threat-actor="WellMess - APT-C-42"
WellMess - APT-C-42 is also known as:
Links |
Android
Android malware galaxy based on multiple open sources..
Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown
CopyCat
CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.
The tag is: misp-galaxy:android="CopyCat"
Links |
Andr/Dropr-FH
Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.
The tag is: misp-galaxy:android="Andr/Dropr-FH"
Andr/Dropr-FH is also known as:
-
GhostCtrl
Andr/Dropr-FH has relationships with:
-
similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"
Links |
Judy
The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.
The tag is: misp-galaxy:android="Judy"
Links |
RedAlert2
The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.
The tag is: misp-galaxy:android="RedAlert2"
RedAlert2 has relationships with:
-
similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"
Tizi
Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.
The tag is: misp-galaxy:android="Tizi"
Links |
https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html |
DoubleLocker
DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.
The tag is: misp-galaxy:android="DoubleLocker"
DoubleLocker has relationships with:
-
similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"
Links |
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/ |
Svpeng
Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.
The tag is: misp-galaxy:android="Svpeng"
Svpeng is also known as:
-
Invisble Man
Svpeng has relationships with:
-
similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ |
https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/ |
LokiBot
LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.
The tag is: misp-galaxy:android="LokiBot"
LokiBot has relationships with:
-
similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"
Links |
https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html |
BankBot
The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.
The tag is: misp-galaxy:android="BankBot"
BankBot has relationships with:
-
similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"
Links |
https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot |
Viking Horde
In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.
The tag is: misp-galaxy:android="Viking Horde"
Links |
http://www.alwayson-network.com/worst-types-android-malware-2016/ |
HummingBad
A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.
The tag is: misp-galaxy:android="HummingBad"
HummingBad has relationships with:
-
similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"
Links |
http://www.alwayson-network.com/worst-types-android-malware-2016/ |
http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf |
Ackposts
Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.
The tag is: misp-galaxy:android="Ackposts"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99 |
Wirex
Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.
The tag is: misp-galaxy:android="Wirex"
WannaLocker
WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.
The tag is: misp-galaxy:android="WannaLocker"
Links |
https://fossbytes.com/wannalocker-ransomware-wannacry-android/ |
Switcher
Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.
The tag is: misp-galaxy:android="Switcher"
Switcher has relationships with:
-
similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"
Links |
https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/ |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99 |
Vibleaker
Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.
The tag is: misp-galaxy:android="Vibleaker"
Links |
http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml |
ExpensiveWall
ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge
The tag is: misp-galaxy:android="ExpensiveWall"
Links |
Cepsohord
Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.
The tag is: misp-galaxy:android="Cepsohord"
Links |
https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord |
Fakem Rat
Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).
The tag is: misp-galaxy:android="Fakem Rat"
GM Bot
GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.
The tag is: misp-galaxy:android="GM Bot"
GM Bot is also known as:
-
Acecard
-
SlemBunk
-
Bankosy
GM Bot has relationships with:
-
similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"
Links |
https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide |
Moplus
The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.
The tag is: misp-galaxy:android="Moplus"
Links |
http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html |
Adwind
Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.
The tag is: misp-galaxy:android="Adwind"
Adwind is also known as:
-
AlienSpy
-
Frutas
-
Unrecom
-
Sockrat
-
Jsocket
-
jRat
-
Backdoor:Java/Adwind
Adwind has relationships with:
-
similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"
Links |
AdSms
Adsms is a Trojan horse that may send SMS messages from Android devices.
The tag is: misp-galaxy:android="AdSms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99 |
Airpush
Airpush is a very aggresive Ad - Network
The tag is: misp-galaxy:android="Airpush"
Airpush is also known as:
-
StopSMS
Links |
https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf |
BeanBot
BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.
The tag is: misp-galaxy:android="BeanBot"
Links |
https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml |
Kemoge
Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.
The tag is: misp-galaxy:android="Kemoge"
Kemoge has relationships with:
-
similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"
Links |
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99 |
Ghost Push
Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.
The tag is: misp-galaxy:android="Ghost Push"
Links |
https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push |
BeNews
The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.
The tag is: misp-galaxy:android="BeNews"
Links |
Accstealer
Accstealer is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Accstealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99 |
Acnetdoor
Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.
The tag is: misp-galaxy:android="Acnetdoor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99 |
Acnetsteal
Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.
The tag is: misp-galaxy:android="Acnetsteal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99 |
Actech
Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Actech"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99 |
AdChina
AdChina is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdChina"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99 |
Adfonic
Adfonic is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adfonic"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99 |
AdInfo
AdInfo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdInfo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99 |
Adknowledge
Adknowledge is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adknowledge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99 |
AdMarvel
AdMarvel is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdMarvel"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99 |
AdMob
AdMob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdMob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99 |
Adrd
Adrd is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Adrd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99 |
Aduru
Aduru is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Aduru"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99 |
Adwhirl
Adwhirl is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adwhirl"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99 |
Adwlauncher
Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Adwlauncher"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99 |
Adwo
Adwo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adwo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99 |
Airad
Airad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Airad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99 |
Alienspy
Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.
The tag is: misp-galaxy:android="Alienspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99 |
AmazonAds
AmazonAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AmazonAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99 |
Answerbot
Answerbot is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Answerbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99 |
Antammi
Antammi is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Antammi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99 |
Apkmore
Apkmore is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Apkmore"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99 |
Aplog
Aplog is a Trojan horse for Android devices that steals information from the device.
The tag is: misp-galaxy:android="Aplog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99 |
Appenda
Appenda is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Appenda"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99 |
Apperhand
Apperhand is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Apperhand"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99 |
Appleservice
Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Appleservice"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99 |
AppLovin
AppLovin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AppLovin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99 |
Arspam
Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.
The tag is: misp-galaxy:android="Arspam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99 |
Aurecord
Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Aurecord"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99 |
Backapp
Backapp is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Backapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99 |
Backdexer
Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.
The tag is: misp-galaxy:android="Backdexer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99 |
Backflash
Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Backflash"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99 |
Backscript
Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.
The tag is: misp-galaxy:android="Backscript"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99 |
Badaccents
Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.
The tag is: misp-galaxy:android="Badaccents"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99 |
Badpush
Badpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Badpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99 |
Ballonpop
Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Ballonpop"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99 |
Bankosy
Bankosy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Bankosy"
Bankosy has relationships with:
-
similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99 |
Bankun
Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.
The tag is: misp-galaxy:android="Bankun"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99 |
Basebridge
Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Basebridge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99 |
Basedao
Basedao is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Basedao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99 |
Batterydoctor
Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.
The tag is: misp-galaxy:android="Batterydoctor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99 |
Beaglespy
Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.
The tag is: misp-galaxy:android="Beaglespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99 |
Becuro
Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.
The tag is: misp-galaxy:android="Becuro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99 |
Beita
Beita is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Beita"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99 |
Bgserv
Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.
The tag is: misp-galaxy:android="Bgserv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99 |
Biigespy
Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.
The tag is: misp-galaxy:android="Biigespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99 |
Bmaster
Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Bmaster"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99 |
Bossefiv
Bossefiv is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Bossefiv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99 |
Boxpush
Boxpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Boxpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99 |
Burstly
Burstly is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Burstly"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99 |
Buzzcity
Buzzcity is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Buzzcity"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99 |
ByPush
ByPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ByPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99 |
Cajino
Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Cajino"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99 |
Casee
Casee is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Casee"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99 |
Catchtoken
Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.
The tag is: misp-galaxy:android="Catchtoken"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99 |
Cauly
Cauly is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Cauly"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99 |
Cellshark
Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.
The tag is: misp-galaxy:android="Cellshark"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99 |
Centero
Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.
The tag is: misp-galaxy:android="Centero"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99 |
Chuli
Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.
The tag is: misp-galaxy:android="Chuli"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99 |
Citmo
Citmo is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Citmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99 |
Claco
Claco is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Claco"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99 |
Clevernet
Clevernet is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Clevernet"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99 |
Cnappbox
Cnappbox is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Cnappbox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99 |
Cobblerone
Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.
The tag is: misp-galaxy:android="Cobblerone"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99 |
Coolpaperleak
Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Coolpaperleak"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99 |
Coolreaper
Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.
The tag is: misp-galaxy:android="Coolreaper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99 |
Cosha
Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Cosha"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99 |
Counterclank
Counterclank is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Counterclank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99 |
Crazymedia
Crazymedia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Crazymedia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99 |
Crisis
Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Crisis"
Crisis has relationships with:
-
similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99 |
Crusewind
Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Crusewind"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99 |
Dandro
Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.
The tag is: misp-galaxy:android="Dandro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99 |
Daoyoudao
Daoyoudao is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Daoyoudao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99 |
Deathring
Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.
The tag is: misp-galaxy:android="Deathring"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99 |
Deeveemap
Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.
The tag is: misp-galaxy:android="Deeveemap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99 |
Dendoroid
Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.
The tag is: misp-galaxy:android="Dendoroid"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99 |
Dengaru
Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.
The tag is: misp-galaxy:android="Dengaru"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99 |
Diandong
Diandong is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Diandong"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99 |
Dianjin
Dianjin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dianjin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99 |
Dogowar
Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.
The tag is: misp-galaxy:android="Dogowar"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99 |
Domob
Domob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Domob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99 |
Dougalek
Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.
The tag is: misp-galaxy:android="Dougalek"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99 |
Dowgin
Dowgin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dowgin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99 |
Droidsheep
Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.
The tag is: misp-galaxy:android="Droidsheep"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99 |
Dropdialer
Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Dropdialer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99 |
Dupvert
Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.
The tag is: misp-galaxy:android="Dupvert"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99 |
Dynamicit
Dynamicit is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dynamicit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99 |
Ecardgrabber
Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.
The tag is: misp-galaxy:android="Ecardgrabber"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99 |
Ecobatry
Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Ecobatry"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99 |
Enesoluty
Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Enesoluty"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99 |
Everbadge
Everbadge is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Everbadge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99 |
Ewalls
Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.
The tag is: misp-galaxy:android="Ewalls"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99 |
Exprespam
Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.
The tag is: misp-galaxy:android="Exprespam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99 |
Fakealbums
Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.
The tag is: misp-galaxy:android="Fakealbums"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99 |
Fakeangry
Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Fakeangry"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99 |
Fakeapp
Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.
The tag is: misp-galaxy:android="Fakeapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99 |
Fakebanco
Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.
The tag is: misp-galaxy:android="Fakebanco"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99 |
Fakebank
Fakebank is a Trojan horse that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakebank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99 |
Fakebank.B
Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakebank.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99 |
Fakebok
Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.
The tag is: misp-galaxy:android="Fakebok"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99 |
Fakedaum
Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakedaum"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99 |
Fakedefender
Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakedefender"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99 |
Fakedefender.B
Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakedefender.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99 |
Fakedown
Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.
The tag is: misp-galaxy:android="Fakedown"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99 |
Fakeflash
Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.
The tag is: misp-galaxy:android="Fakeflash"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99 |
Fakegame
Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakegame"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99 |
Fakeguard
Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakeguard"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99 |
Fakejob
Fakejob is a Trojan horse for Android devices that redirects users to scam websites.
The tag is: misp-galaxy:android="Fakejob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99 |
Fakekakao
Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.
The tag is: misp-galaxy:android="Fakekakao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99 |
Fakelemon
Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.
The tag is: misp-galaxy:android="Fakelemon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99 |
Fakelicense
Fakelicense is a Trojan horse that displays advertisements on the compromised device.
The tag is: misp-galaxy:android="Fakelicense"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99 |
Fakelogin
Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakelogin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99 |
FakeLookout
FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.
The tag is: misp-galaxy:android="FakeLookout"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99 |
FakeMart
FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.
The tag is: misp-galaxy:android="FakeMart"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99 |
Fakemini
Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.
The tag is: misp-galaxy:android="Fakemini"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99 |
Fakemrat
Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakemrat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99 |
Fakeneflic
Fakeneflic is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Fakeneflic"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99 |
Fakenotify
Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.
The tag is: misp-galaxy:android="Fakenotify"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99 |
Fakepatch
Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.
The tag is: misp-galaxy:android="Fakepatch"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99 |
Fakeplay
Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.
The tag is: misp-galaxy:android="Fakeplay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99 |
Fakescarav
Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakescarav"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99 |
Fakesecsuit
Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakesecsuit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99 |
Fakesucon
Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Fakesucon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99 |
Faketaobao
Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Faketaobao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99 |
Faketaobao.B
Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.
The tag is: misp-galaxy:android="Faketaobao.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99 |
Faketoken
Faketoken is a Trojan horse that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Faketoken"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99 |
http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/ |
Fakeupdate
Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.
The tag is: misp-galaxy:android="Fakeupdate"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99 |
Fakevoice
Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.
The tag is: misp-galaxy:android="Fakevoice"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99 |
Farmbaby
Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.
The tag is: misp-galaxy:android="Farmbaby"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99 |
Fauxtocopy
Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.
The tag is: misp-galaxy:android="Fauxtocopy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99 |
Feiwo
Feiwo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Feiwo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99 |
FindAndCall
FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.
The tag is: misp-galaxy:android="FindAndCall"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99 |
Finfish
Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Finfish"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99 |
Fireleaker
Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fireleaker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99 |
Fitikser
Fitikser is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fitikser"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99 |
Flexispy
Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Flexispy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99 |
Fokonge
Fokonge is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Fokonge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99 |
FoncySMS
FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.
The tag is: misp-galaxy:android="FoncySMS"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99 |
Frogonal
Frogonal is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Frogonal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99 |
Ftad
Ftad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Ftad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99 |
Funtasy
Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.
The tag is: misp-galaxy:android="Funtasy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99 |
GallMe
GallMe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="GallMe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99 |
Gamex
Gamex is a Trojan horse for Android devices that downloads further threats.
The tag is: misp-galaxy:android="Gamex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99 |
Gappusin
Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.
The tag is: misp-galaxy:android="Gappusin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99 |
Gazon
Gazon is a worm for Android devices that spreads through SMS messages.
The tag is: misp-galaxy:android="Gazon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99 |
Geinimi
Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.
The tag is: misp-galaxy:android="Geinimi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99 |
Generisk
Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.
The tag is: misp-galaxy:android="Generisk"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99 |
Genheur
Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.
The tag is: misp-galaxy:android="Genheur"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99 |
Genpush
Genpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Genpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99 |
GeoFake
GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.
The tag is: misp-galaxy:android="GeoFake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99 |
Geplook
Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.
The tag is: misp-galaxy:android="Geplook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99 |
Getadpush
Getadpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Getadpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99 |
Ggtracker
Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.
The tag is: misp-galaxy:android="Ggtracker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99 |
Ghostpush
Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.
The tag is: misp-galaxy:android="Ghostpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99 |
Gmaster
Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Gmaster"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99 |
Godwon
Godwon is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Godwon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99 |
Golddream
Golddream is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Golddream"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99 |
Goldeneagle
Goldeneagle is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Goldeneagle"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99 |
Golocker
Golocker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Golocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99 |
Gomal
Gomal is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Gomal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99 |
Gonesixty
Gonesixty is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonesixty"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99 |
Gonfu
Gonfu is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonfu"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99 |
Gonfu.B
Gonfu.B is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonfu.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99 |
Gonfu.C
Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.
The tag is: misp-galaxy:android="Gonfu.C"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99 |
Gonfu.D
Gonfu.D is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Gonfu.D"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99 |
Gooboot
Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.
The tag is: misp-galaxy:android="Gooboot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99 |
Goodadpush
Goodadpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Goodadpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99 |
Greystripe
Greystripe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Greystripe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99 |
Gugespy
Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.
The tag is: misp-galaxy:android="Gugespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99 |
Gugespy.B
Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Gugespy.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99 |
Gupno
Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.
The tag is: misp-galaxy:android="Gupno"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99 |
Habey
Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.
The tag is: misp-galaxy:android="Habey"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99 |
Handyclient
Handyclient is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Handyclient"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99 |
Hehe
Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.
The tag is: misp-galaxy:android="Hehe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99 |
Hesperbot
Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.
The tag is: misp-galaxy:android="Hesperbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99 |
Hippo
Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Hippo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99 |
Hippo.B
Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Hippo.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99 |
IadPush
IadPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="IadPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99 |
iBanking
iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.
The tag is: misp-galaxy:android="iBanking"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99 |
Iconosis
Iconosis is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Iconosis"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99 |
Iconosys
Iconosys is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Iconosys"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99 |
Igexin
Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,
The tag is: misp-galaxy:android="Igexin"
Igexin is also known as:
-
IcicleGum
Igexin has relationships with:
-
similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"
ImAdPush
ImAdPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ImAdPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99 |
InMobi
InMobi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="InMobi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99 |
Jifake
Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Jifake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99 |
Jollyserv
Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.
The tag is: misp-galaxy:android="Jollyserv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99 |
Jsmshider
Jsmshider is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Jsmshider"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99 |
Ju6
Ju6 is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Ju6"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99 |
Jumptap
Jumptap is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Jumptap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99 |
Jzmob
Jzmob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Jzmob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99 |
Kabstamper
Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.
The tag is: misp-galaxy:android="Kabstamper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99 |
Kidlogger
Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Kidlogger"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99 |
Kielog
Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.
The tag is: misp-galaxy:android="Kielog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99 |
Kituri
Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Kituri"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99 |
Kranxpay
Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.
The tag is: misp-galaxy:android="Kranxpay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99 |
Krysanec
Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Krysanec"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99 |
Kuaidian360
Kuaidian360 is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Kuaidian360"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99 |
Kuguo
Kuguo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Kuguo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99 |
Lastacloud
Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Lastacloud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99 |
Laucassspy
Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Laucassspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99 |
Lifemonspy
Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.
The tag is: misp-galaxy:android="Lifemonspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99 |
Lightdd
Lightdd is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Lightdd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99 |
Loaderpush
Loaderpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Loaderpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99 |
Locaspy
Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.
The tag is: misp-galaxy:android="Locaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99 |
Lockdroid.E
Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.E"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99 |
Lockdroid.F
Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.F"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99 |
Lockdroid.G
Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.G"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99 |
Lockdroid.H
Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.H"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99 |
Lockscreen
Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.
The tag is: misp-galaxy:android="Lockscreen"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99 |
LogiaAd
LogiaAd is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="LogiaAd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99 |
Loicdos
Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.
The tag is: misp-galaxy:android="Loicdos"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99 |
Loozfon
Loozfon is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Loozfon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99 |
Lotoor
Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.
The tag is: misp-galaxy:android="Lotoor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99 |
Lovespy
Lovespy is a Trojan horse for Android devices that steals information from the device.
The tag is: misp-galaxy:android="Lovespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99 |
Lovetrap
Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Lovetrap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99 |
Luckycat
Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.
The tag is: misp-galaxy:android="Luckycat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99 |
Machinleak
Machinleak is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Machinleak"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99 |
Maistealer
Maistealer is a Trojan that steals information from Android devices.
The tag is: misp-galaxy:android="Maistealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99 |
Malapp
Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.
The tag is: misp-galaxy:android="Malapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99 |
Malebook
Malebook is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Malebook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99 |
Malhome
Malhome is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Malhome"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99 |
Malminer
Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.
The tag is: misp-galaxy:android="Malminer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99 |
Mania
Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Mania"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99 |
Maxit
Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.
The tag is: misp-galaxy:android="Maxit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99 |
MdotM
MdotM is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MdotM"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99 |
Medialets
Medialets is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Medialets"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99 |
Meshidden
Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Meshidden"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99 |
Mesploit
Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.
The tag is: misp-galaxy:android="Mesploit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99 |
Mesprank
Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Mesprank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99 |
Meswatcherbox
Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.
The tag is: misp-galaxy:android="Meswatcherbox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99 |
Miji
Miji is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Miji"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99 |
Milipnot
Milipnot is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Milipnot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99 |
MillennialMedia
MillennialMedia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MillennialMedia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99 |
Mitcad
Mitcad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mitcad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99 |
MobClix
MobClix is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobClix"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99 |
MobFox
MobFox is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobFox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99 |
Mobidisplay
Mobidisplay is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mobidisplay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99 |
Mobigapp
Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.
The tag is: misp-galaxy:android="Mobigapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99 |
MobileBackup
MobileBackup is a spyware application for Android devices that monitors the affected device.
The tag is: misp-galaxy:android="MobileBackup"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99 |
Mobilespy
Mobilespy is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Mobilespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99 |
Mobiletx
Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Mobiletx"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99 |
Mobinaspy
Mobinaspy is a spyware application for Android devices that can track the device’s location.
The tag is: misp-galaxy:android="Mobinaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99 |
Mobus
Mobus is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mobus"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99 |
MobWin
MobWin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobWin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99 |
Mocore
Mocore is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mocore"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99 |
Moghava
Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.
The tag is: misp-galaxy:android="Moghava"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99 |
Momark
Momark is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Momark"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99 |
Monitorello
Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Monitorello"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99 |
Moolah
Moolah is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Moolah"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99 |
MoPub
MoPub is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MoPub"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99 |
Morepaks
Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.
The tag is: misp-galaxy:android="Morepaks"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99 |
Nandrobox
Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.
The tag is: misp-galaxy:android="Nandrobox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99 |
Netisend
Netisend is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Netisend"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99 |
Nickispy
Nickispy is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Nickispy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99 |
Notcompatible
Notcompatible is a Trojan horse for Android devices that acts as a proxy.
The tag is: misp-galaxy:android="Notcompatible"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99 |
Nuhaz
Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.
The tag is: misp-galaxy:android="Nuhaz"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99 |
Nyearleaker
Nyearleaker is a Trojan horse program for Android devices that steals information.
The tag is: misp-galaxy:android="Nyearleaker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99 |
Obad
Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.
The tag is: misp-galaxy:android="Obad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99 |
Oneclickfraud
Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.
The tag is: misp-galaxy:android="Oneclickfraud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99 |
Opfake
Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.
The tag is: misp-galaxy:android="Opfake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99 |
Opfake.B
Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.
The tag is: misp-galaxy:android="Opfake.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99 |
Ozotshielder
Ozotshielder is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Ozotshielder"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99 |
Pafloat
Pafloat is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Pafloat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99 |
PandaAds
PandaAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="PandaAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99 |
Pandbot
Pandbot is a Trojan horse for Android devices that may download more files onto the device.
The tag is: misp-galaxy:android="Pandbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99 |
Pdaspy
Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.
The tag is: misp-galaxy:android="Pdaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99 |
Penetho
Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.
The tag is: misp-galaxy:android="Penetho"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99 |
Perkel
Perkel is a Trojan horse for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Perkel"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99 |
Phimdropper
Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.
The tag is: misp-galaxy:android="Phimdropper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99 |
Phospy
Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.
The tag is: misp-galaxy:android="Phospy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99 |
Piddialer
Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.
The tag is: misp-galaxy:android="Piddialer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99 |
Pikspam
Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.
The tag is: misp-galaxy:android="Pikspam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99 |
Pincer
Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.
The tag is: misp-galaxy:android="Pincer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99 |
Pirator
Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Pirator"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99 |
Pjapps
Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.
The tag is: misp-galaxy:android="Pjapps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99 |
Pjapps.B
Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Pjapps.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99 |
Pletora
Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.
The tag is: misp-galaxy:android="Pletora"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99 |
Poisoncake
Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.
The tag is: misp-galaxy:android="Poisoncake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99 |
Pontiflex
Pontiflex is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Pontiflex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99 |
Positmob
Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.
The tag is: misp-galaxy:android="Positmob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99 |
Premiumtext
Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.
The tag is: misp-galaxy:android="Premiumtext"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99 |
Pris
Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.
The tag is: misp-galaxy:android="Pris"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99 |
Qdplugin
Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Qdplugin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99 |
Qicsomos
Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Qicsomos"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99 |
Qitmo
Qitmo is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Qitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99 |
Rabbhome
Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Rabbhome"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99 |
Repane
Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.
The tag is: misp-galaxy:android="Repane"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99 |
Reputation.1
Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.1"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99 |
Reputation.2
Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.2"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99 |
Reputation.3
Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.3"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99 |
RevMob
RevMob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="RevMob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99 |
Roidsec
Roidsec is a Trojan horse for Android devices that steals confidential information.
The tag is: misp-galaxy:android="Roidsec"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99 |
Rootcager
Rootcager is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Rootcager"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99 |
Rootnik
Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.
The tag is: misp-galaxy:android="Rootnik"
Rootnik has relationships with:
-
similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99 |
Rufraud
Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Rufraud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99 |
Rusms
Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.
The tag is: misp-galaxy:android="Rusms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99 |
Samsapo
Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.
The tag is: misp-galaxy:android="Samsapo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99 |
Sandorat
Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.
The tag is: misp-galaxy:android="Sandorat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99 |
Sberick
Sberick is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sberick"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99 |
Scartibro
Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.
The tag is: misp-galaxy:android="Scartibro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99 |
Scipiex
Scipiex is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Scipiex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99 |
Selfmite
Selfmite is a worm for Android devices that spreads through SMS messages.
The tag is: misp-galaxy:android="Selfmite"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99 |
Selfmite.B
Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.
The tag is: misp-galaxy:android="Selfmite.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99 |
SellARing
SellARing is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="SellARing"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99 |
SendDroid
SendDroid is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="SendDroid"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99 |
Simhosy
Simhosy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Simhosy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99 |
Simplocker
Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.
The tag is: misp-galaxy:android="Simplocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99 |
Simplocker.B
Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.
The tag is: misp-galaxy:android="Simplocker.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99 |
Skullkey
Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.
The tag is: misp-galaxy:android="Skullkey"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99 |
Smaato
Smaato is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Smaato"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99 |
Smbcheck
Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.
The tag is: misp-galaxy:android="Smbcheck"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99 |
Smsblocker
Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.
The tag is: misp-galaxy:android="Smsblocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99 |
Smsbomber
Smsbomber is a program that can be used to send messages to contacts on the device.
The tag is: misp-galaxy:android="Smsbomber"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99 |
Smslink
Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.
The tag is: misp-galaxy:android="Smslink"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99 |
Smspacem
Smspacem is a Trojan horse that may send SMS messages from Android devices.
The tag is: misp-galaxy:android="Smspacem"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99 |
SMSReplicator
SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.
The tag is: misp-galaxy:android="SMSReplicator"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99 |
Smssniffer
Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.
The tag is: misp-galaxy:android="Smssniffer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99 |
Smsstealer
Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Smsstealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99 |
Smstibook
Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Smstibook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99 |
Smszombie
Smszombie is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Smszombie"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99 |
Snadapps
Snadapps is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Snadapps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99 |
Sockbot
Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.
The tag is: misp-galaxy:android="Sockbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99 |
Sockrat
Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Sockrat"
Sockrat has relationships with:
-
similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99 |
Sofacy
Sofacy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sofacy"
Sofacy has relationships with:
-
similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99 |
Sosceo
Sosceo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Sosceo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99 |
Spitmo
Spitmo is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Spitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99 |
Spitmo.B
Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Spitmo.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99 |
Spyagent
Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.
The tag is: misp-galaxy:android="Spyagent"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99 |
Spybubble
Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Spybubble"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99 |
Spydafon
Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.
The tag is: misp-galaxy:android="Spydafon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99 |
Spymple
Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Spymple"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99 |
Spyoo
Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.
The tag is: misp-galaxy:android="Spyoo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99 |
Spytekcell
Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Spytekcell"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99 |
Spytrack
Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.
The tag is: misp-galaxy:android="Spytrack"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99 |
Spywaller
Spywaller is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Spywaller"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99 |
Stealthgenie
Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Stealthgenie"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99 |
Steek
Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.
The tag is: misp-galaxy:android="Steek"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99 |
Stels
Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Stels"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99 |
Stiniter
Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Stiniter"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99 |
Sumzand
Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Sumzand"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99 |
Sysecsms
Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sysecsms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99 |
Tanci
Tanci is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tanci"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99 |
Tapjoy
Tapjoy is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tapjoy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99 |
Tapsnake
Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.
The tag is: misp-galaxy:android="Tapsnake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99 |
Tascudap
Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.
The tag is: misp-galaxy:android="Tascudap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99 |
Teelog
Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Teelog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99 |
Temai
Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.
The tag is: misp-galaxy:android="Temai"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99 |
Tetus
Tetus is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Tetus"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99 |
Tgpush
Tgpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tgpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99 |
Tigerbot
Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Tigerbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99 |
Tonclank
Tonclank is a Trojan horse that steals information and may open a back door on Android devices.
The tag is: misp-galaxy:android="Tonclank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99 |
Trogle
Trogle is a worm for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Trogle"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99 |
Twikabot
Twikabot is a Trojan horse for Android devices that attempts to steal information.
The tag is: misp-galaxy:android="Twikabot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99 |
Uapush
Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.
The tag is: misp-galaxy:android="Uapush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99 |
Umeng
Umeng is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Umeng"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99 |
Updtbot
Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.
The tag is: misp-galaxy:android="Updtbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99 |
Upush
Upush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Upush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99 |
Uracto
Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.
The tag is: misp-galaxy:android="Uracto"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99 |
Uranico
Uranico is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Uranico"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99 |
Usbcleaver
Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Usbcleaver"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99 |
Utchi
Utchi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Utchi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99 |
Uten
Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.
The tag is: misp-galaxy:android="Uten"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99 |
Uupay
Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.
The tag is: misp-galaxy:android="Uupay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99 |
Uxipp
Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Uxipp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99 |
Vdloader
Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.
The tag is: misp-galaxy:android="Vdloader"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99 |
VDopia
VDopia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="VDopia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99 |
Virusshield
Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.
The tag is: misp-galaxy:android="Virusshield"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99 |
VServ
VServ is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="VServ"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99 |
Walkinwat
Walkinwat is a Trojan horse that steals information from the compromised device.
The tag is: misp-galaxy:android="Walkinwat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99 |
Waps
Waps is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Waps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99 |
Waren
Waren is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Waren"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99 |
Windseeker
Windseeker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Windseeker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99 |
Wiyun
Wiyun is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wiyun"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99 |
Wooboo
Wooboo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wooboo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99 |
Wqmobile
Wqmobile is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wqmobile"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99 |
YahooAds
YahooAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="YahooAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99 |
Yatoot
Yatoot is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Yatoot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99 |
Yinhan
Yinhan is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Yinhan"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99 |
Youmi
Youmi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Youmi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99 |
YuMe
YuMe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="YuMe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99 |
Zeahache
Zeahache is a Trojan horse that elevates privileges on the compromised device.
The tag is: misp-galaxy:android="Zeahache"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99 |
ZertSecurity
ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.
The tag is: misp-galaxy:android="ZertSecurity"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99 |
ZestAdz
ZestAdz is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ZestAdz"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99 |
Zeusmitmo
Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Zeusmitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99 |
SLocker
The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.
The tag is: misp-galaxy:android="SLocker"
SLocker is also known as:
-
SMSLocker
Links |
http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/ |
Loapi
A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.
The tag is: misp-galaxy:android="Loapi"
Links |
Podec
Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.
The tag is: misp-galaxy:android="Podec"
Links |
Chamois
Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.
The tag is: misp-galaxy:android="Chamois"
IcicleGum
IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.
The tag is: misp-galaxy:android="IcicleGum"
IcicleGum has relationships with:
-
similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
BreadSMS
BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.
The tag is: misp-galaxy:android="BreadSMS"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
JamSkunk
JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.
The tag is: misp-galaxy:android="JamSkunk"
Expensive Wall
Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.
The tag is: misp-galaxy:android="Expensive Wall"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
BambaPurple
BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.
The tag is: misp-galaxy:android="BambaPurple"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
KoreFrog
KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.
The tag is: misp-galaxy:android="KoreFrog"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
Gaiaphish
Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)
The tag is: misp-galaxy:android="Gaiaphish"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
RedDrop
RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.
The tag is: misp-galaxy:android="RedDrop"
Links |
https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/ |
HenBox
HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.
The tag is: misp-galaxy:android="HenBox"
Links |
https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/ |
MysteryBot
Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.
The tag is: misp-galaxy:android="MysteryBot"
MysteryBot has relationships with:
-
similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"
Links |
Skygofree
At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.
The tag is: misp-galaxy:android="Skygofree"
Skygofree has relationships with:
-
similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ |
BusyGasper
A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.
The tag is: misp-galaxy:android="BusyGasper"
Links |
Triout
Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.
The tag is: misp-galaxy:android="Triout"
Links |
AndroidOS_HidenAd
active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store
The tag is: misp-galaxy:android="AndroidOS_HidenAd"
AndroidOS_HidenAd is also known as:
-
AndroidOS_HiddenAd
Links |
Razdel
The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.
The tag is: misp-galaxy:android="Razdel"
Links |
https://mobile.twitter.com/pr3wtd/status/1097477833625088000 |
Vulture
Vulture is an Android banking trojan found in Google Play by ThreatFabric. It uses screen recording and keylogging as main strategy to harvest login credentials.
The tag is: misp-galaxy:android="Vulture"
Links |
Anubis
Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.
The tag is: misp-galaxy:android="Anubis"
Links |
GodFather
The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. Group-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.
The tag is: misp-galaxy:android="GodFather"
GodFather has relationships with:
-
successor-of: misp-galaxy:android="Anubis" with estimative-language:likelihood-probability="likely"
Links |
Coper
Octo, also known as Coper or ExobotCompact, is an Android banking Trojan that evolved from the Exobot malware family, first observed in 2016. Initially based on the Marcher Trojan, Exobot targeted financial institutions globally until 2018, when a lighter version, ExobotCompact, emerged. By 2021, a new variant appeared, named Coper by some antivirus vendors, but later renamed as Octo — a rebranded and enhanced ExobotCompact. In 2024, Octo2, an even more advanced iteration, was released, driven partly by the leak of Octo’s source code. The Malware-as-a-Service (MaaS) model makes Octo accessible to even novice cybercriminals.
The tag is: misp-galaxy:android="Coper"
Coper is also known as:
-
ExobotCompact
-
OCTO
-
Octo2
Coper has relationships with:
-
similar: misp-galaxy:malpedia="Coper" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:malpedia="ExoBot" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:android="ExoBot" with estimative-language:likelihood-probability="likely"
ExoBot
an Android banking trojan that went inactive, and its source code leaked.
The tag is: misp-galaxy:android="ExoBot"
ExoBot has relationships with:
-
similar: misp-galaxy:malpedia="ExoBot" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:malpedia="Coper" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:android="Coper" with estimative-language:likelihood-probability="likely"
Links |
https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html |
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/ |
Azure Threat Research Matrix
The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse..
Azure Threat Research Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
AlertIQ - Craig Fretwell - Dor Edry - Jonny Johnson - Karl Fosaaen - MITRE ATT&CK - Manuel Berrueta - Microsoft - Nestori Syynimaa - Nikhil Mittal - Ram Pliskin - Roberto Rodriguez - Ryan Cobb
AZT101 - Port Mapping
It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface’s assigned Network Security Group
The tag is: misp-galaxy:atrm="AZT101 - Port Mapping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101 |
AZT102 - IP Discovery
It is possible to view the IP address on a resource by viewing the Virtual Network Interface
The tag is: misp-galaxy:atrm="AZT102 - IP Discovery"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102 |
AZT103 - Public Accessible Resource
A resource within Azure is accessible from the public internet.
The tag is: misp-galaxy:atrm="AZT103 - Public Accessible Resource"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103 |
AZT104 - Gather User Information
An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user’s roles and group memberships within AAD.
The tag is: misp-galaxy:atrm="AZT104 - Gather User Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104 |
AZT105 - Gather Application Information
An adversary may obtain information about an application within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT105 - Gather Application Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105 |
AZT106 - Gather Role Information
An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.
The tag is: misp-galaxy:atrm="AZT106 - Gather Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106 |
AZT106.1 - Gather AAD Role Information
An adversary may gather role assignments within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT106.1 - Gather AAD Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1 |
AZT106.2 - Gather Application Role Information
An adversary may gather information about an application role & it’s member assignments within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT106.2 - Gather Application Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2 |
AZT106.3 - Gather Azure Resources Role Assignments
An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.
The tag is: misp-galaxy:atrm="AZT106.3 - Gather Azure Resources Role Assignments"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3 |
AZT107 - Gather Resource Data
An adversary may obtain information and data within a resource.
The tag is: misp-galaxy:atrm="AZT107 - Gather Resource Data"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107 |
AZT108 - Gather Victim Data
An adversary may access a user’s personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.
The tag is: misp-galaxy:atrm="AZT108 - Gather Victim Data"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108 |
AZT201 - Valid Credentials
Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.
The tag is: misp-galaxy:atrm="AZT201 - Valid Credentials"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201 |
AZT201.1 - User Account
By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.
The tag is: misp-galaxy:atrm="AZT201.1 - User Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1 |
AZT201.2 - Service Principal
By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.
The tag is: misp-galaxy:atrm="AZT201.2 - Service Principal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2 |
AZT202 - Password Spraying
An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.
The tag is: misp-galaxy:atrm="AZT202 - Password Spraying"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202 |
AZT203 - Malicious Application Consent
An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.
The tag is: misp-galaxy:atrm="AZT203 - Malicious Application Consent"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203 |
AZT301 - Virtual Machine Scripting
Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.
The tag is: misp-galaxy:atrm="AZT301 - Virtual Machine Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301 |
AZT301.1 - RunCommand
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.
The tag is: misp-galaxy:atrm="AZT301.1 - RunCommand"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1 |
AZT301.2 - CustomScriptExtension
By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.2 - CustomScriptExtension"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2 |
AZT301.3 - Desired State Configuration
By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.3 - Desired State Configuration"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3 |
AZT301.4 - Compute Gallery Application
By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.4 - Compute Gallery Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4 |
AZT301.5 - AKS Command Invoke
By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster’s VM as SYSTEM
The tag is: misp-galaxy:atrm="AZT301.5 - AKS Command Invoke"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5 |
AZT301.6 - Vmss Run Command
By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.
The tag is: misp-galaxy:atrm="AZT301.6 - Vmss Run Command"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6 |
AZT301.7 - Serial Console
By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.
The tag is: misp-galaxy:atrm="AZT301.7 - Serial Console"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7 |
AZT302 - Serverless Scripting
Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.
The tag is: misp-galaxy:atrm="AZT302 - Serverless Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302 |
AZT302.1 - Automation Account Runbook Hybrid Worker Group
By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.
The tag is: misp-galaxy:atrm="AZT302.1 - Automation Account Runbook Hybrid Worker Group"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1 |
AZT302.2 - Automation Account Runbook RunAs Account
By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.
The tag is: misp-galaxy:atrm="AZT302.2 - Automation Account Runbook RunAs Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2 |
AZT302.3 - Automation Account Runbook Managed Identity
By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.
The tag is: misp-galaxy:atrm="AZT302.3 - Automation Account Runbook Managed Identity"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3 |
AZT302.4 - Function Application
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT302.4 - Function Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4 |
AZT303 - Managed Device Scripting
Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.
The tag is: misp-galaxy:atrm="AZT303 - Managed Device Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303 |
AZT401 - Privileged Identity Management Role
An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).
The tag is: misp-galaxy:atrm="AZT401 - Privileged Identity Management Role"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401 |
AZT402 - Elevated Access Toggle
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
The tag is: misp-galaxy:atrm="AZT402 - Elevated Access Toggle"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402 |
AZT403 - Local Resource Hijack
By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.
The tag is: misp-galaxy:atrm="AZT403 - Local Resource Hijack"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1 |
AZT404 - Principal Impersonation
Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
The tag is: misp-galaxy:atrm="AZT404 - Principal Impersonation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404 |
AZT404.1 - Function Application
By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.1 - Function Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1 |
AZT404.2 - Logic Application
By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.2 - Logic Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2 |
AZT404.3 - Automation Account
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.3 - Automation Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3 |
AZT404.4 - App Service
By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.4 - App Service"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4 |
AZT405 - Azure AD Application
Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.
The tag is: misp-galaxy:atrm="AZT405 - Azure AD Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405 |
AZT405.1 - Application API Permissions
By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
The tag is: misp-galaxy:atrm="AZT405.1 - Application API Permissions"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1 |
AZT405.2 - Application Role
By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.
The tag is: misp-galaxy:atrm="AZT405.2 - Application Role"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2 |
AZT405.3 - Application Registration Owner
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
The tag is: misp-galaxy:atrm="AZT405.3 - Application Registration Owner"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3 |
AZT501 - Account Manipulation
An adverary may manipulate an account to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501 - Account Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501 |
AZT501.1 - User Account Manipulation
An adverary may manipulate a user account to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501.1 - User Account Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1 |
AZT501.2 - Service Principal Manipulation
An adverary may manipulate a service principal to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501.2 - Service Principal Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2 |
AZT501.3 - Azure VM Local Administrator Manipulation
An adverary may manipulate the local admin account on an Azure VM
The tag is: misp-galaxy:atrm="AZT501.3 - Azure VM Local Administrator Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3 |
AZT502 - Account Creation
An adversary may create an account in Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT502 - Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502 |
AZT502.1 - User Account Creation
An adversary may create an application & service principal in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.1 - User Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1 |
AZT502.2 - Service Principal Creation
An adversary may create an application & service principal in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.2 - Service Principal Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2 |
AZT502.3 - Guest Account Creation
An adversary may create a guest account in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.3 - Guest Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3 |
AZT503 - HTTP Trigger
Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.
The tag is: misp-galaxy:atrm="AZT503 - HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503 |
AZT503.1 - Logic Application HTTP Trigger
Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
The tag is: misp-galaxy:atrm="AZT503.1 - Logic Application HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1 |
AZT503.2 - Function App HTTP Trigger
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
The tag is: misp-galaxy:atrm="AZT503.2 - Function App HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2 |
AZT503.3 - Runbook Webhook
Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
The tag is: misp-galaxy:atrm="AZT503.3 - Runbook Webhook"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3 |
AZT503.4 - WebJob
Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule
The tag is: misp-galaxy:atrm="AZT503.4 - WebJob"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4 |
AZT504 - Watcher Tasks
By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.
The tag is: misp-galaxy:atrm="AZT504 - Watcher Tasks"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504 |
AZT505 - Scheduled Jobs
Adversaries may create a schedule for a Runbook to run at a defined interval.
The tag is: misp-galaxy:atrm="AZT505 - Scheduled Jobs"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1 |
AZT506 - Network Security Group Modification
Adversaries can modify the rules in a Network Security Group to establish access over additional ports.
The tag is: misp-galaxy:atrm="AZT506 - Network Security Group Modification"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506 |
AZT507 - External Entity Access
Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
The tag is: misp-galaxy:atrm="AZT507 - External Entity Access"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507 |
AZT507.1 - Azure Lighthouse
Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant
The tag is: misp-galaxy:atrm="AZT507.1 - Azure Lighthouse"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1 |
AZT507.2 - Microsoft Partners
Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.
The tag is: misp-galaxy:atrm="AZT507.2 - Microsoft Partners"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2 |
AZT507.3 - Subscription Hijack
An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.
The tag is: misp-galaxy:atrm="AZT507.3 - Subscription Hijack"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3 |
AZT507.4 - Domain Trust Modification
An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.
The tag is: misp-galaxy:atrm="AZT507.4 - Domain Trust Modification"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4 |
AZT508 - Azure Policy
By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.
The tag is: misp-galaxy:atrm="AZT508 - Azure Policy"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508 |
AZT601 - Steal Managed Identity JsonWebToken
An adverary may utilize the resource’s functionality to obtain a JWT for the applied Managed Identity Service Principal account.
The tag is: misp-galaxy:atrm="AZT601 - Steal Managed Identity JsonWebToken"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601 |
AZT601.1 - Virtual Machine IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.
The tag is: misp-galaxy:atrm="AZT601.1 - Virtual Machine IMDS Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1 |
AZT601.2 - Azure Kubernetes Service IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.
The tag is: misp-galaxy:atrm="AZT601.2 - Azure Kubernetes Service IMDS Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2 |
AZT601.3 - Logic Application JWT PUT Request
If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.3 - Logic Application JWT PUT Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3 |
AZT601.4 - Function Application JWT GET Request
If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.4 - Function Application JWT GET Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4 |
AZT601.5 - Automation Account Runbook
If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.5 - Automation Account Runbook"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5 |
AZT602 - Steal Service Principal Certificate
If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.
The tag is: misp-galaxy:atrm="AZT602 - Steal Service Principal Certificate"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1 |
AZT603 - Service Principal Secret Reveal
If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal’s secret in plain text.
The tag is: misp-galaxy:atrm="AZT603 - Service Principal Secret Reveal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1 |
AZT604 - Azure KeyVault Dumping
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
The tag is: misp-galaxy:atrm="AZT604 - Azure KeyVault Dumping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604 |
AZT604.1 - Azure KeyVault Secret Dump
By accessing an Azure Key Vault, an adversary may dump any or all secrets.
The tag is: misp-galaxy:atrm="AZT604.1 - Azure KeyVault Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1 |
AZT604.2 - Azure KeyVault Certificate Dump
By accessing an Azure Key Vault, an adversary may dump any or all certificates.
The tag is: misp-galaxy:atrm="AZT604.2 - Azure KeyVault Certificate Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2 |
AZT604.3 - Azure KeyVault Key Dump
By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.
The tag is: misp-galaxy:atrm="AZT604.3 - Azure KeyVault Key Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3 |
AZT605 - Resource Secret Reveal
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
The tag is: misp-galaxy:atrm="AZT605 - Resource Secret Reveal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605 |
AZT605.1 - Storage Account Access Key Dumping
By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.
The tag is: misp-galaxy:atrm="AZT605.1 - Storage Account Access Key Dumping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1 |
AZT605.2 - Automation Account Credential Secret Dump
By editing a Runbook, a credential configured in an Automation Account may be revealed
The tag is: misp-galaxy:atrm="AZT605.2 - Automation Account Credential Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2 |
AZT605.3 - Resource Group Deployment History Secret Dump
By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.
The tag is: misp-galaxy:atrm="AZT605.3 - Resource Group Deployment History Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3 |
AZT701 - SAS URI Generation
By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.
The tag is: misp-galaxy:atrm="AZT701 - SAS URI Generation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701 |
AZT701.1 - VM Disk SAS URI
An adversary may create an SAS URI to download the disk attached to a virtual machine.
The tag is: misp-galaxy:atrm="AZT701.1 - VM Disk SAS URI"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1 |
AZT701.2 - Storage Account File Share SAS
By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.
The tag is: misp-galaxy:atrm="AZT701.2 - Storage Account File Share SAS"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2 |
AZT702 - File Share Mounting
An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.
The tag is: misp-galaxy:atrm="AZT702 - File Share Mounting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1 |
AZT703 - Replication
The tag is: misp-galaxy:atrm="AZT703 - Replication"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1 |
AZT704 - Soft-Delete Recovery
An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted
The tag is: misp-galaxy:atrm="AZT704 - Soft-Delete Recovery"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704 |
AZT704.1 - Key Vault
An adversary may recover a key vault object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.1 - Key Vault"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1 |
AZT704.2 - Storage Account Object
An adversary may recover a storage account object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.2 - Storage Account Object"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2 |
AZT704.3 - Recovery Services Vault
An adversary may recover a virtual machine object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.3 - Recovery Services Vault"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3 |
AZT705 - Azure Backup Delete
An adversary may recover a virtual machine object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT705 - Azure Backup Delete"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3 |
attck4fraud
attck4fraud - Principles of MITRE ATT&CK in the fraud domain.
attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Francesco Bigarella - Christophe Vandeplas
Phishing
In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.
The tag is: misp-galaxy:financial-fraud="Phishing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Spear phishing
Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.
The tag is: misp-galaxy:financial-fraud="Spear phishing"
Spear phishing is also known as:
-
Spear-phishing
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
ATM skimming
ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.
The tag is: misp-galaxy:financial-fraud="ATM skimming"
ATM skimming is also known as:
-
Skimming - CPP ATM
ATM cash trapping
Trap the cash dispenser with a physical component. Type 1 are visible to the user and type 2 are hidden in the cash dispenser
The tag is: misp-galaxy:financial-fraud="ATM cash trapping"
ATM cash trapping is also known as:
-
Cash Trapping
Links |
https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
ATM Shimming
ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.
The tag is: misp-galaxy:financial-fraud="ATM Shimming"
Vishing
Also known as voice phishing, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organisation.
The tag is: misp-galaxy:financial-fraud="Vishing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
POS Skimming
CPP analysis identifies the likely merchant, POS or ATM location from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.
The tag is: misp-galaxy:financial-fraud="POS Skimming"
POS Skimming is also known as:
-
Skimming - CPP POS
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Malware
Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.
The tag is: misp-galaxy:financial-fraud="Malware"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Account-Checking Services
Account-Checking Services
The tag is: misp-galaxy:financial-fraud="Account-Checking Services"
ATM Black Box Attack
Type of Jackpotting attack. Connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser in order to “cash out” the ATM.
The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"
ATM Black Box Attack is also known as:
-
Black Box Attack
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Investment Fraud
A deceptive practice in the stock or commodities markets that induces investors to make purchase or sale decisions on the basis of false information, frequently resulting in losses, in violation of securities laws.
The tag is: misp-galaxy:financial-fraud="Investment Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Romance Scam
Romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to commit fraud. Fraudulent acts may involve access to the victim’s money, bank accounts, credit cards, passports, e-mail accounts, or national identification numbers; or forcing the victims to commit financial fraud on their behalf.
The tag is: misp-galaxy:financial-fraud="Romance Scam"
Romance Scam is also known as:
-
Romance Fraud
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Buying/Renting Fraud
Buying/Renting Fraud
The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"
Fake Invoice Fraud
Invoice fraud happens when a company or organisation is tricked into changing bank account payee details for a payment. Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed or emit false invoices.
The tag is: misp-galaxy:financial-fraud="Fake Invoice Fraud"
Fake Invoice Fraud is also known as:
-
Invoice Fraud
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Business Email Compromise
Business Email Compromise
The tag is: misp-galaxy:financial-fraud="Business Email Compromise"
Compromised Payment Cards
The loss of or theft of a card, which is subsequently used for illegal purposes until blocked by the card issuer.
The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"
Compromised Payment Cards is also known as:
-
Lost/Stolen Card
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Compromised Account Credentials
Account takeover fraud is a form of identity theft in which the fraudster gets access to a victim’s bank or credit card accounts — through a data breach, malware or phishing — and uses them to make unauthorised transaction.
The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"
Compromised Account Credentials is also known as:
-
Account Takeover Fraud
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Compromised Personally Identifiable Information (PII)
Compromised Personally Identifiable Information (PII)
The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"
Compromised Intellectual Property (IP)
Compromised Intellectual Property (IP)
The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"
Cryptocurrency Exchange
Cryptocurrency Exchange
The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"
ATM Explosive Attack
ATM Explosive Attack
The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"
CNP – Card Not Present
A card not present transaction (CNP, MO/TO, Mail Order / Telephone Order, MOTOEC) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant’s visual examination at the time that an order is given and payment effected
The tag is: misp-galaxy:financial-fraud="CNP – Card Not Present"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
CP – Card Present
A card present transaction occurs when a cardholder physically presents a card to request and authorise a financial transaction
The tag is: misp-galaxy:financial-fraud="CP – Card Present"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Merchant Fraud
Fraud that occurs when a merchant account is used without the intention of operating a legitimate business transaction.
The tag is: misp-galaxy:financial-fraud="Merchant Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Virtual Currency Fraud
Fraud that involves virtual currency, or virtual money, which is a type of unregulated, digital money, issued and usually controlled by its developers and used and accepted among the members of a specific virtual community.
The tag is: misp-galaxy:financial-fraud="Virtual Currency Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Cheque Fraud
A category of criminal acts that involve making the unlawful use of cheques in order to illegally acquire or borrow funds that do not exist within the account balance or account-holder’s legal ownership. Most methods involve taking advantage the time between the negotiation of the cheque and its clearance at the cheque writer’s financial institution to draw out these funds.
The tag is: misp-galaxy:financial-fraud="Cheque Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Digital Fraud
Fraud perpetrated via omni- channel means to digital banking or payments channels such as home banking or other electronic services.
The tag is: misp-galaxy:financial-fraud="Digital Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Mobile Fraud
Fraud perpetrated via mobile devices to digital banking, payments channels such as home banking or other electronic services, or online merchants
The tag is: misp-galaxy:financial-fraud="Mobile Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Telephone Fraud
Fraud perpetrated via land line telephone means to banking or payments channels such as home banking or other electronic services or merchants
The tag is: misp-galaxy:financial-fraud="Telephone Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Standing Order Fraud
Fraud occurs when a standing order is falsely created or adulterated. A standing order is an automated method of making payments, where a person or business instructs their bank to pay another person or business, a fixed amount of money at regular intervals. Fraud occurs when a standing order is falsely created or adulterated.
The tag is: misp-galaxy:financial-fraud="Standing Order Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
CEO/BEC Fraud
A scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential information
The tag is: misp-galaxy:financial-fraud="CEO/BEC Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Money laundering
An illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. The overall scheme of this process returns the money to the launderer in an obscure and indirect way.
The tag is: misp-galaxy:financial-fraud="Money laundering"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
BIN Attack
Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers
The tag is: misp-galaxy:financial-fraud="BIN Attack"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
DoS - Denial of Service Attack
In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet
The tag is: misp-galaxy:financial-fraud="DoS - Denial of Service Attack"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
MITM - Man-in-the-Middle Attack
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other
The tag is: misp-galaxy:financial-fraud="MITM - Man-in-the-Middle Attack"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Transaction Reversal Fraud
Unauthorized physical manipulation of ATM cash withdrawal. Appears that cash has not been dispensed – a reversal message generated – SEE FULL TERMINAL FRAUD DEFINITION
The tag is: misp-galaxy:financial-fraud="Transaction Reversal Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Transaction Message Adulteration
The data contained in an authorisation message is manipulated to try to fool the payment processor.
The tag is: misp-galaxy:financial-fraud="Transaction Message Adulteration"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
First Party (Friendly) Fraud
Fraud committed against a financial institution by one of its own customers
The tag is: misp-galaxy:financial-fraud="First Party (Friendly) Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Identity Spoofing (or entity hacking)
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity
The tag is: misp-galaxy:financial-fraud="Identity Spoofing (or entity hacking)"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Authorised Push Payment Fraud
A form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation.
The tag is: misp-galaxy:financial-fraud="Authorised Push Payment Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Direct Debit Fraud
Direct debit fraud can take place in several ways. It is often associated with identity theft, where the scammer gains access to the bank account information by posing as the victim. They can pay for services and products via a direct debit option and use this account until its owner notices.
The tag is: misp-galaxy:financial-fraud="Direct Debit Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Extortion
Obtaining benefit through coercion
The tag is: misp-galaxy:financial-fraud="Extortion"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Smishing
Also known as "SMS Phishing", is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver information and/or requests to induce people to divulge or to take action that will compromise their personal or confidential information.
The tag is: misp-galaxy:financial-fraud="Smishing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Shoulder Surfing
Technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder
The tag is: misp-galaxy:financial-fraud="Shoulder Surfing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Distraction
The process of diverting the attention of an individual or group from a desired area of focus and thereby blocking or diminishing the reception of desired information.
The tag is: misp-galaxy:financial-fraud="Distraction"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Push Payments
Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.
The tag is: misp-galaxy:financial-fraud="Push Payments"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
ATM Malware
Unauthorised software, or authorises software run in an unauthorized manner on ATM PC - SEE FULL TERMINAL FRAUD DEFINITION
The tag is: misp-galaxy:financial-fraud="ATM Malware"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Data Breach
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used from a PC or Computer Network by an entity unauthorised to do so.
The tag is: misp-galaxy:financial-fraud="Data Breach"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Ransomware
A type of malicious software designed to block access to a computer system until a sum of money is paid
The tag is: misp-galaxy:financial-fraud="Ransomware"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Fake Website
A website that is not a legitimate venue, the site is designed to entice the visitor into revealing sensitive information, to download some form of malware or to purchase products that never arrive
The tag is: misp-galaxy:financial-fraud="Fake Website"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Fake App
Apps in mobile devices that trick users into downloading them. They may also pose as quirky and attractive apps, providing interesting services. Once installed on a mobile device, fake apps can perform a variety of malicious routines.
The tag is: misp-galaxy:financial-fraud="Fake App"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
e-Skimming
Cyber criminals introduce skimming code on e-commerce payment card processing web pages to capture credit card and personally identifiable information and send the stolen data to a domain under their control.
The tag is: misp-galaxy:financial-fraud="e-Skimming"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Skimming - CPP UPT
CPP analysis identifies Payment Terminal parking, transport, fuel, etc. locations, from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.
The tag is: misp-galaxy:financial-fraud="Skimming - CPP UPT"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Skimming - CPP Virtual Terminal
Same as e-Skimming
The tag is: misp-galaxy:financial-fraud="Skimming - CPP Virtual Terminal"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Card Trapping
Unauthorized physical ATM manipulation, preventing card from being returned to customer - SEE FULL TERMINAL FRAUD DEFINITION
The tag is: misp-galaxy:financial-fraud="Card Trapping"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Lack of Patching / Security
Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers. Lack of proper patching allows cyber criminals to exploit systems and networks.
The tag is: misp-galaxy:financial-fraud="Lack of Patching / Security"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Bad implementation
Process where an information system is deployed into a Production Environed with faults, errors or vulnerabilities
The tag is: misp-galaxy:financial-fraud="Bad implementation"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Deployment Error
Implementation of a system, solution or service not according to defined and tested best practices.
The tag is: misp-galaxy:financial-fraud="Deployment Error"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Merchant Negligence
Merchants not following best practice procedures to avoid criminal or fraudulent activity,
The tag is: misp-galaxy:financial-fraud="Merchant Negligence"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Implementation not according to Standards
Implementation of a sstem, solution or service not according to defined and tested standards
The tag is: misp-galaxy:financial-fraud="Implementation not according to Standards"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Backdoor
A list of backdoor malware..
Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
raw-data
WellMess
Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.
The tag is: misp-galaxy:backdoor="WellMess"
WellMess has relationships with:
-
similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"
Links |
Rosenbridge
The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.
While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.
The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.
The tag is: misp-galaxy:backdoor="Rosenbridge"
Links |
ServHelper
The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.
"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.
The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.
The tag is: misp-galaxy:backdoor="ServHelper"
Links |
Rising Sun
The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.
The tag is: misp-galaxy:backdoor="Rising Sun"
Links |
https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/ |
SLUB
A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.
The tag is: misp-galaxy:backdoor="SLUB"
SLUB has relationships with:
-
similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"
Links |
Asruex
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.
The tag is: misp-galaxy:backdoor="Asruex"
Links |
Speculoos
FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.
The tag is: misp-galaxy:backdoor="Speculoos"
Speculoos has relationships with:
-
used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"
Links |
Mori Backdoor
Mori Backdoor has been used by Seedworm.
The tag is: misp-galaxy:backdoor="Mori Backdoor"
Links |
BazarBackdoor
Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.
The tag is: misp-galaxy:backdoor="BazarBackdoor"
BazarBackdoor is also known as:
-
BEERBOT
-
KEGTAP
-
Team9Backdoor
-
bazaloader
-
bazarloader
-
bazaarloader
Links |
https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/ |
SUNBURST
Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.
The tag is: misp-galaxy:backdoor="SUNBURST"
SUNBURST is also known as:
-
Solarigate
SUNBURST has relationships with:
-
dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"
Links |
https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/ |
BPFDoor
BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant
The tag is: misp-galaxy:backdoor="BPFDoor"
Links |
https://twitter.com/CraigHRowland/status/1523266585133457408 |
BOLDMOVE
According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).
The tag is: misp-galaxy:backdoor="BOLDMOVE"
VEILEDSIGNAL
VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.
The tag is: misp-galaxy:backdoor="VEILEDSIGNAL"
Links |
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise |
POOLRAT
POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.
The tag is: misp-galaxy:backdoor="POOLRAT"
Links |
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise |
BIGRAISIN
BIGRAISIN is a C\C++ Windows based backdoor. It is capable of executing downloaded commands, executing downloaded files, and deleting files. Availability: Non-public
The tag is: misp-galaxy:backdoor="BIGRAISIN"
BIGRAISIN has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
FASTFIRE
FASTFIRE is a malicious APK that connects to a server and sends details of the compromised device back to command and control (C2). Availability: Non-public
The tag is: misp-galaxy:backdoor="FASTFIRE"
FASTFIRE has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
GRAYZONE
GRAYZONE is a C/C++ Windows backdoor capable of collecting system information, logging keystrokes, and downloading additional stages from the C2 server. Availability: Non-public
The tag is: misp-galaxy:backdoor="GRAYZONE"
GRAYZONE has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
HANGMAN.V2
HANGMAN.V2 is a variant of the backdoor HANGMAN. HANGMAN.V2 is very similar to HANGMAN, but uses HTTP for the network communications and formats data passed to the C2 server differently. Availability: Non-public
The tag is: misp-galaxy:backdoor="HANGMAN.V2"
HANGMAN.V2 has relationships with:
-
variant-of: misp-galaxy:malpedia="HOPLIGHT" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
LOGCABIN
LOGCABIN is a file-less and modular backdoor with multiple stages. The stages consist of several VisualBasic and PowerShell scripts that are downloaded and executed. LOGCABIN collects detailed system information and sends it to the C2 before performing additional commands. Availability: Non-public
The tag is: misp-galaxy:backdoor="LOGCABIN"
LOGCABIN has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
SOURDOUGH
SOURDOUGH is a backdoor written in C that communicates via HTTP. Its capabilities include keylogging, screenshot capture, file transfer, file execution, and directory enumeration. Availability: Non-public
The tag is: misp-galaxy:backdoor="SOURDOUGH"
SOURDOUGH has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
TROIBOMB
TROIBOMB is a C/C++ Windows backdoor that is capable of collecting system information and performing commands from the C2 server. Availability: Non-public
The tag is: misp-galaxy:backdoor="TROIBOMB"
TROIBOMB has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
ZIPLINE
ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).
The tag is: misp-galaxy:backdoor="ZIPLINE"
Links |
https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation |
SPAWNSNAIL
SPAWNSNAIL is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.
SPAWNSNAIL’s second purpose is to inject SPAWNSLOTH into dslogserver, a process supporting event logging on Connect Secure.
The tag is: misp-galaxy:backdoor="SPAWNSNAIL"
SPAWNSNAIL has relationships with:
-
used-by: misp-galaxy:threat-actor="UNC5337" with estimative-language:likelihood-probability="likely"
-
preceded-by: misp-galaxy:tool="SPAWNANT" with estimative-language:likelihood-probability="likely"
-
interacts-with: misp-galaxy:tool="SPAWNMOLE" with estimative-language:likelihood-probability="likely"
-
injects: misp-galaxy:tool="SPAWNSLOTH" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
BRICKSTORM
BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.
The tag is: misp-galaxy:backdoor="BRICKSTORM"
BRICKSTORM has relationships with:
-
used-by: misp-galaxy:threat-actor="UTA0178" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
PHANTOMNET
PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET’s core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.
The tag is: misp-galaxy:backdoor="PHANTOMNET"
PHANTOMNET has relationships with:
-
is-deployed-by: misp-galaxy:threat-actor="UNC5330" with estimative-language:likelihood-probability="likely"
-
executed-by: misp-galaxy:tool="TONERJAM" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
TERRIBLETEA
TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including Command execution, Keystroke logging, SOCKS5 proxy, Port scanning, File system interaction, SQL query execution, Screen captures, Ability to open a new SSH session, execute commands, and upload files to a remote server.
The tag is: misp-galaxy:backdoor="TERRIBLETEA"
TERRIBLETEA has relationships with:
-
is-deployed-by : misp-galaxy:threat-actor="UNC5266" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
Merdoor
Merdoor is a fully-featured backdoor that appears to have been in existence since 2018. The backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands Instances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory Typically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.
The tag is: misp-galaxy:backdoor="Merdoor"
Links |
Banker
A list of banker malware..
Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown - raw-data
Zeus
Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.
The tag is: misp-galaxy:banker="Zeus"
Zeus is also known as:
-
Zbot
Zeus has relationships with:
-
similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"
Links |
https://usa.kaspersky.com/resource-center/threats/zeus-virus |
Vawtrak
Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.
The tag is: misp-galaxy:banker="Vawtrak"
Vawtrak is also known as:
-
Neverquest
Vawtrak has relationships with:
-
similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"
Dridex
Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.
The tag is: misp-galaxy:banker="Dridex"
Dridex is also known as:
-
Feodo Version D
-
Cridex
Dridex has relationships with:
-
similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"
Links |
Gozi
Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010
The tag is: misp-galaxy:banker="Gozi"
Gozi is also known as:
-
Ursnif
-
CRM
-
Snifula
-
Papras
Gozi has relationships with:
-
similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"
Links |
https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 |
Goziv2
Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.
The tag is: misp-galaxy:banker="Goziv2"
Goziv2 is also known as:
-
Prinimalka
Links |
Gozi ISFB
Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.
The tag is: misp-galaxy:banker="Gozi ISFB"
Gozi ISFB has relationships with:
-
similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"
Links |
https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature |
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak |
Dreambot
Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.
The tag is: misp-galaxy:banker="Dreambot"
Links |
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
IAP
Gozi ISFB variant
The tag is: misp-galaxy:banker="IAP"
IAP has relationships with:
-
similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"
Links |
GozNym
GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.
The tag is: misp-galaxy:banker="GozNym"
Links |
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/ |
Zloader Zeus
Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Zloader Zeus"
Zloader Zeus is also known as:
-
Zeus Terdot
Zloader Zeus has relationships with:
-
similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"
Links |
https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle |
Zeus VM
Zeus variant that utilizes steganography in image files to retrieve configuration file.
The tag is: misp-galaxy:banker="Zeus VM"
Zeus VM is also known as:
-
VM Zeus
Zeus VM has relationships with:
-
similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/ |
Zeus Sphinx
Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.
The tag is: misp-galaxy:banker="Zeus Sphinx"
Zeus Sphinx has relationships with:
-
similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/ |
Panda Banker
Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Panda Banker"
Panda Banker is also known as:
-
Zeus Panda
Links |
https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market |
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf |
Zeus KINS
Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.
The tag is: misp-galaxy:banker="Zeus KINS"
Zeus KINS is also known as:
-
Kasper Internet Non-Security
-
Maple
Zeus KINS has relationships with:
-
similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/ |
Chthonic
Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
The tag is: misp-galaxy:banker="Chthonic"
Chthonic is also known as:
-
Chtonic
Chthonic has relationships with:
-
similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/ |
Trickbot
Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan
The tag is: misp-galaxy:banker="Trickbot"
Trickbot is also known as:
-
Trickster
-
Trickloader
Trickbot has relationships with:
-
similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"
Dyre
Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.
The tag is: misp-galaxy:banker="Dyre"
Dyre is also known as:
-
Dyreza
Dyre has relationships with:
-
similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"
Links |
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/ |
Tinba
Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.
The tag is: misp-galaxy:banker="Tinba"
Tinba is also known as:
-
Zusy
-
TinyBanker
-
illi
Tinba has relationships with:
-
similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"
Geodo
Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.
The tag is: misp-galaxy:banker="Geodo"
Geodo is also known as:
-
Feodo Version C
-
Emotet
Geodo has relationships with:
-
similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/ |
https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet |
Feodo
Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Feodo"
Feodo is also known as:
-
Bugat
-
Cridex
Feodo has relationships with:
-
similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"
Links |
http://stopmalvertising.com/rootkits/analysis-of-cridex.html |
Ramnit
Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.
The tag is: misp-galaxy:banker="Ramnit"
Ramnit is also known as:
-
Nimnul
Ramnit has relationships with:
-
similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"
Links |
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ |
Qakbot
Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.
The tag is: misp-galaxy:banker="Qakbot"
Qakbot is also known as:
-
Qbot
-
Pinkslipbot
-
Akbot
Qakbot has relationships with:
-
similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"
Corebot
Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Corebot"
Corebot has relationships with:
-
similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"
Links |
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/ |
TinyNuke
TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="TinyNuke"
TinyNuke is also known as:
-
NukeBot
-
Nuclear Bot
-
MicroBankingTrojan
-
Xbot
TinyNuke has relationships with:
-
similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"
Retefe
Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.
The tag is: misp-galaxy:banker="Retefe"
Retefe is also known as:
-
Tsukuba
-
Werdlod
Retefe has relationships with:
-
similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"
ReactorBot
ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.
The tag is: misp-galaxy:banker="ReactorBot"
ReactorBot has relationships with:
-
similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"
Matrix Banker
Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.
The tag is: misp-galaxy:banker="Matrix Banker"
Matrix Banker has relationships with:
-
similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"
Links |
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/ |
Zeus Gameover
Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Zeus Gameover"
Links |
SpyEye
SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="SpyEye"
Links |
https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf |
https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot |
Citadel
Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.
The tag is: misp-galaxy:banker="Citadel"
Citadel has relationships with:
-
similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"
Links |
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ |
Atmos
Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Atmos"
Links |
https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/ |
Ice IX
Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.
The tag is: misp-galaxy:banker="Ice IX"
Ice IX has relationships with:
-
similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ] |
Zitmo
Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.
The tag is: misp-galaxy:banker="Zitmo"
Links |
https://securelist.com/zeus-in-the-mobile-for-android-10/29258/ |
Licat
Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011
The tag is: misp-galaxy:banker="Licat"
Licat is also known as:
-
Murofet
Licat has relationships with:
-
similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"
Links |
https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/ |
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A |
Skynet
Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.
The tag is: misp-galaxy:banker="Skynet"
Links |
https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/ |
IcedID
According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.
The tag is: misp-galaxy:banker="IcedID"
IcedID is also known as:
-
BokBot
IcedID has relationships with:
-
similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"
GratefulPOS
GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.
The tag is: misp-galaxy:banker="GratefulPOS"
GratefulPOS has relationships with:
-
similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"
Links |
Dok
A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.
The tag is: misp-galaxy:banker="Dok"
Dok has relationships with:
-
similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"
Links |
downAndExec
Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.
The tag is: misp-galaxy:banker="downAndExec"
Links |
https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/ |
Smominru
Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.
The tag is: misp-galaxy:banker="Smominru"
Smominru is also known as:
-
Ismo
-
lsmo
Smominru has relationships with:
-
similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"
Links |
DanaBot
It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)
The tag is: misp-galaxy:banker="DanaBot"
DanaBot has relationships with:
-
similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"
Links |
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0 |
Backswap
The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload
The tag is: misp-galaxy:banker="Backswap"
Links |
https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/ |
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/ |
Bebloh
The tag is: misp-galaxy:banker="Bebloh"
Bebloh is also known as:
-
URLZone
-
Shiotob
Bebloh has relationships with:
-
similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security-center/writeup/2011-041411-0912-99 |
Banjori
The tag is: misp-galaxy:banker="Banjori"
Banjori is also known as:
-
MultiBanker 2
-
BankPatch
-
BackPatcher
Banjori has relationships with:
-
similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"
Links |
Qadars
The tag is: misp-galaxy:banker="Qadars"
Qadars has relationships with:
-
similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"
Links |
https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/ |
Ranbyus
The tag is: misp-galaxy:banker="Ranbyus"
Ranbyus has relationships with:
-
similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"
Links |
Fobber
The tag is: misp-galaxy:banker="Fobber"
Fobber has relationships with:
-
similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"
Links |
Karius
Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.
The tag is: misp-galaxy:banker="Karius"
Karius has relationships with:
-
similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"
Links |
https://research.checkpoint.com/banking-trojans-development/ |
Kronos
Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.
The tag is: misp-galaxy:banker="Kronos"
Kronos has relationships with:
-
similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/ |
CamuBot
A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.
The tag is: misp-galaxy:banker="CamuBot"
CamuBot has relationships with:
-
similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"
Dark Tequila
Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.
The tag is: misp-galaxy:banker="Dark Tequila"
Links |
https://thehackernews.com/2018/08/mexico-banking-malware.html |
Malteiro
Distributed by Malteiro
The tag is: misp-galaxy:banker="Malteiro"
Malteiro is also known as:
-
URSA
Malteiro has relationships with:
-
delivered-by: misp-galaxy:threat-actor="Malteiro" with estimative-language:likelihood-probability="likely"
Links |
Bhadra Framework
Bhadra Threat Modeling Framework.
Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura
Attacks from UE
"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.
The tag is: misp-galaxy:bhadra-framework="Attacks from UE"
SIM-based attacks
The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.
The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"
Attacks from radio access network
The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.
The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"
Attacks from other mobile network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"
Attacks with access to transport network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"
Attacks from IP-based network
The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.
The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"
Insider attacks and human errors
The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.
The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"
Infecting UE hardware or software
Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.
The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"
Infecting SIM cards
Retaining the foothold gained on the target system through the initial access by infecting SIM cards.
The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"
Spoofed radio network
Retaining the foothold gained on the target system through the initial access by radio network spoofing.
The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"
Infecting network nodes
Retaining the foothold gained on the target system through the initial access by infecting network nodes.
The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"
Covert channels
Retaining the foothold gained on the target system through the initial access via covert channels.
The tag is: misp-galaxy:bhadra-framework="Covert channels"
Port scanning or sweeping
"Port scanning or sweeping" techniques to probe servers or hosts with open ports.
The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"
Perimeter mapping
"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.
The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"
Threat intelligence gathering
"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.
The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"
CN-specific scanning
"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).
The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"
Internal resource search
"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.
The tag is: misp-galaxy:bhadra-framework="Internal resource search"
UE knocking
"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.
The tag is: misp-galaxy:bhadra-framework="UE knocking"
Exploit roaming agreements
"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.
The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"
Abusing interworking functionalities
"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally
The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"
Exploit platform & service-specific vulnerabilities
Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.
The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"
SS7-based-attacks
Attacks abusing the SS7 protocol.
The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"
Diameter-based attacks
Attacks abusing the Diameter protocol.
The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"
GTP-based attacks
Attacks abusing the GTP protocol.
The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"
Pre-AKA attacks
Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.
The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"
Security audit camouflage
The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.
The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"
Blacklist evasion
Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.
The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"
Middlebox misconfiguration exploits
NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.
The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"
Bypass Firewall
Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.
The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"
Bypass homerouting
SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.
The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"
Downgrading
Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.
The tag is: misp-galaxy:bhadra-framework="Downgrading"
Redirection
Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.
The tag is: misp-galaxy:bhadra-framework="Redirection"
UE Protection evasion
Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.
The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"
Admin credentials
Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.
The tag is: misp-galaxy:bhadra-framework="Admin credentials"
User-specific identifiers
User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case
The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"
User-specific data
Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).
The tag is: misp-galaxy:bhadra-framework="User-specific data"
Network-specific identifiers
Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks
The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"
Network-specific data
Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents
The tag is: misp-galaxy:bhadra-framework="Network-specific data"
Location tracking
Attacker is able to track the location of the target end-user.
The tag is: misp-galaxy:bhadra-framework="Location tracking"
Calls eavesdropping
Attacker is able to eavesdrop on calls.
The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"
SMS interception
Attacker is able to intercept SMS messages.
The tag is: misp-galaxy:bhadra-framework="SMS interception"
Data interception
Attacker is able to intercept or modify internet traffic.
The tag is: misp-galaxy:bhadra-framework="Data interception"
Billing frauds
Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.
The tag is: misp-galaxy:bhadra-framework="Billing frauds"
DoS - network
The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.
The tag is: misp-galaxy:bhadra-framework="DoS - network"
DoS - user
The attacker can cause denial of service to mobile users.
The tag is: misp-galaxy:bhadra-framework="DoS - user"
Identity-related attacks
Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.
The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"
Botnet
botnet galaxy.
Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Various
ADB.miner
A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.
The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.
Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.
The tag is: misp-galaxy:botnet="ADB.miner"
Links |
https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/ |
Bagle
Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.
The tag is: misp-galaxy:botnet="Bagle"
Bagle is also known as:
-
Beagle
-
Mitglieder
-
Lodeight
Bagle has relationships with:
-
similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"
Links |
Marina Botnet
Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.
The tag is: misp-galaxy:botnet="Marina Botnet"
Marina Botnet is also known as:
-
Damon Briant
-
BOB.dc
-
Cotmonger
-
Hacktool.Spammer
-
Kraken
Marina Botnet has relationships with:
-
similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"
Links |
Torpig
Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.
The tag is: misp-galaxy:botnet="Torpig"
Torpig is also known as:
-
Sinowal
-
Anserin
Torpig has relationships with:
-
similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"
Links |
Storm
The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.
The tag is: misp-galaxy:botnet="Storm"
Storm is also known as:
-
Nuwar
-
Peacomm
-
Zhelatin
-
Dorf
-
Ecard
Links |
Rustock
The tag is: misp-galaxy:botnet="Rustock"
Rustock is also known as:
-
RKRustok
-
Costrat
Rustock has relationships with:
-
similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"
Links |
Donbot
The tag is: misp-galaxy:botnet="Donbot"
Donbot is also known as:
-
Buzus
-
Bachsoy
Donbot has relationships with:
-
similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"
Links |
Cutwail
The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo
The tag is: misp-galaxy:botnet="Cutwail"
Cutwail is also known as:
-
Pandex
-
Mutant
Cutwail has relationships with:
-
similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"
Links |
Akbot
Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.
The tag is: misp-galaxy:botnet="Akbot"
Akbot has relationships with:
-
similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
Links |
Srizbi
Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.
The tag is: misp-galaxy:botnet="Srizbi"
Srizbi is also known as:
-
Cbeplay
-
Exchanger
Links |
Lethic
The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.
The tag is: misp-galaxy:botnet="Lethic"
Lethic has relationships with:
-
similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"
Links |
Xarvester
The tag is: misp-galaxy:botnet="Xarvester"
Xarvester is also known as:
-
Rlsloup
-
Pixoliz
Links |
Sality
Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.
The tag is: misp-galaxy:botnet="Sality"
Sality is also known as:
-
Sector
-
Kuku
-
Sality
-
SalLoad
-
Kookoo
-
SaliCode
-
Kukacka
Sality has relationships with:
-
similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"
Links |
Mariposa
The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.
The tag is: misp-galaxy:botnet="Mariposa"
Links |
Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.
The tag is: misp-galaxy:botnet="Conficker"
Conficker is also known as:
-
DownUp
-
DownAndUp
-
DownAdUp
-
Kido
Conficker has relationships with:
-
similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"
Links |
Waledac
Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.
The tag is: misp-galaxy:botnet="Waledac"
Waledac is also known as:
-
Waled
-
Waledpak
Links |
Maazben
A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.
The tag is: misp-galaxy:botnet="Maazben"
Links |
https://www.symantec.com/connect/blogs/evaluating-botnet-capacity |
Gheg
Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).
The tag is: misp-galaxy:botnet="Gheg"
Gheg is also known as:
-
Tofsee
-
Mondera
Gheg has relationships with:
-
similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"
Links |
Nucrypt
The tag is: misp-galaxy:botnet="Nucrypt"
Links |
https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en |
Asprox
The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.
The tag is: misp-galaxy:botnet="Asprox"
Asprox is also known as:
-
Badsrc
-
Aseljo
-
Danmec
-
Hydraflux
Asprox has relationships with:
-
similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"
Links |
Spamthru
Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.
The tag is: misp-galaxy:botnet="Spamthru"
Spamthru is also known as:
-
Spam-DComServ
-
Covesmer
-
Xmiler
Links |
http://www.root777.com/security/analysis-of-spam-thru-botnet/ |
Gumblar
Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.
The tag is: misp-galaxy:botnet="Gumblar"
Links |
BredoLab
The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.
The tag is: misp-galaxy:botnet="BredoLab"
BredoLab is also known as:
-
Oficla
BredoLab has relationships with:
-
similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"
Links |
Grum
The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.
The tag is: misp-galaxy:botnet="Grum"
Grum is also known as:
-
Tedroo
-
Reddyb
Links |
Mega-D
The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.
The tag is: misp-galaxy:botnet="Mega-D"
Mega-D is also known as:
-
Ozdok
Links |
Kraken
The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.
The tag is: misp-galaxy:botnet="Kraken"
Kraken is also known as:
-
Kracken
Kraken has relationships with:
-
similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"
Links |
Festi
The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.
The tag is: misp-galaxy:botnet="Festi"
Festi is also known as:
-
Spamnost
Links |
Vulcanbot
Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.
The tag is: misp-galaxy:botnet="Vulcanbot"
Links |
LowSec
The tag is: misp-galaxy:botnet="LowSec"
LowSec is also known as:
-
LowSecurity
-
FreeMoney
-
Ring0.Tools
TDL4
Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).
The tag is: misp-galaxy:botnet="TDL4"
TDL4 is also known as:
-
TDSS
-
Alureon
TDL4 has relationships with:
-
similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"
Links |
Zeus
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.
The tag is: misp-galaxy:botnet="Zeus"
Zeus is also known as:
-
Zbot
-
ZeuS
-
PRG
-
Wsnpoem
-
Gorhax
-
Kneber
Zeus has relationships with:
-
similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"
Links |
Kelihos
The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.
The tag is: misp-galaxy:botnet="Kelihos"
Kelihos is also known as:
-
Hlux
Kelihos has relationships with:
-
similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"
Links |
Ramnit
Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.
The tag is: misp-galaxy:botnet="Ramnit"
Ramnit has relationships with:
-
similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"
Links |
Zer0n3t
The tag is: misp-galaxy:botnet="Zer0n3t"
Zer0n3t is also known as:
-
Fib3rl0g1c
-
Zer0n3t
-
Zer0Log1x
Chameleon
The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).
The tag is: misp-galaxy:botnet="Chameleon"
Links |
Mirai
Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.
The tag is: misp-galaxy:botnet="Mirai"
Mirai has relationships with:
-
similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"
Links |
XorDDoS
XOR DDOS is a Linux trojan used to perform large-scale DDoS
The tag is: misp-galaxy:botnet="XorDDoS"
Links |
Satori
According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.
The tag is: misp-galaxy:botnet="Satori"
Satori is also known as:
-
Okiru
Satori has relationships with:
-
similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"
Links |
https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant |
BetaBot
The tag is: misp-galaxy:botnet="BetaBot"
BetaBot has relationships with:
-
similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"
Hajime
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).
The tag is: misp-galaxy:botnet="Hajime"
Hajime has relationships with:
-
similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/ |
Muhstik
The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.
The tag is: misp-galaxy:botnet="Muhstik"
Links |
Hide and Seek
Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.
The tag is: misp-galaxy:botnet="Hide and Seek"
Hide and Seek is also known as:
-
HNS
-
Hide 'N Seek
Hide and Seek has relationships with:
-
similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/ |
Mettle
Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
The tag is: misp-galaxy:botnet="Mettle"
Links |
https://thehackernews.com/2018/05/botnet-malware-hacking.html |
Owari
IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED
The tag is: misp-galaxy:botnet="Owari"
Owari has relationships with:
-
similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"
Links |
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html |
Brain Food
Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.
The tag is: misp-galaxy:botnet="Brain Food"
Links |
Pontoeb
The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding
The tag is: misp-galaxy:botnet="Pontoeb"
Pontoeb is also known as:
-
N0ise
Links |
http://dataprotectioncenter.com/general/are-you-beta-testing-malware/ |
Trik Spam Botnet
The tag is: misp-galaxy:botnet="Trik Spam Botnet"
Trik Spam Botnet is also known as:
-
Trik Trojan
Links |
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/ |
Madmax
The tag is: misp-galaxy:botnet="Madmax"
Madmax is also known as:
-
Mad Max
Madmax has relationships with:
-
similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"
Links |
Pushdo
The tag is: misp-galaxy:botnet="Pushdo"
Pushdo has relationships with:
-
similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"
Links |
https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/ |
Simda
The tag is: misp-galaxy:botnet="Simda"
Simda has relationships with:
-
similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"
Links |
Virut
The tag is: misp-galaxy:botnet="Virut"
Virut has relationships with:
-
similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"
Links |
Bamital
The tag is: misp-galaxy:botnet="Bamital"
Bamital is also known as:
-
Mdrop-CSK
-
Agent-OCF
Gafgyt
Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
The tag is: misp-galaxy:botnet="Gafgyt"
Gafgyt is also known as:
-
Bashlite
Gafgyt has relationships with:
-
similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security-center/writeup/2014-100222-5658-99 |
Sora
Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.
The tag is: misp-galaxy:botnet="Sora"
Sora is also known as:
-
Mirai Sora
Sora has relationships with:
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
Links |
Torii
we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.
The tag is: misp-galaxy:botnet="Torii"
Torii has relationships with:
-
similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"
Links |
Persirai
A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.
The tag is: misp-galaxy:botnet="Persirai"
Persirai has relationships with:
-
similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"
Links |
Chalubo
Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.
The tag is: misp-galaxy:botnet="Chalubo"
Links |
AESDDoS
Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.
The tag is: misp-galaxy:botnet="AESDDoS"
Links |
Arceus
A set of DDoS botnet.
The tag is: misp-galaxy:botnet="Arceus"
Arceus is also known as:
-
Katura
-
MyraV
-
myra
Mozi
Mozi infects new devices through weak telnet passwords and exploitation.
The tag is: misp-galaxy:botnet="Mozi"
Links |
https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/ |
https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/ |
UPAS-Kit
UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.
The tag is: misp-galaxy:botnet="UPAS-Kit"
UPAS-Kit is also known as:
-
Rombrast
Phorpiex
Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.
The tag is: misp-galaxy:botnet="Phorpiex"
Phorpiex is also known as:
-
Trik
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex |
DDG
First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).
The tag is: misp-galaxy:botnet="DDG"
DDG has relationships with:
-
similar: misp-galaxy:malpedia="DDG" with estimative-language:likelihood-probability="likely"
Glupteba
A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).
The tag is: misp-galaxy:botnet="Glupteba"
Links |
https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ |
Elknot
DDoS Botnet
The tag is: misp-galaxy:botnet="Elknot"
Elknot is also known as:
-
Linux/BillGates
-
BillGates
Links |
https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched |
Cyclops Blink
Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.
The tag is: misp-galaxy:botnet="Cyclops Blink"
Links |
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html |
EnemyBot
In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.
The tag is: misp-galaxy:botnet="EnemyBot"
EnemyBot has relationships with:
-
similar: misp-galaxy:malpedia="EnemyBot" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"
Qbot
Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.
The tag is: misp-galaxy:botnet="Qbot"
Qbot is also known as:
-
QakBot
-
Pinkslipbot
Qbot has relationships with:
-
dropped: misp-galaxy:ransomware="ProLock" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"
Dark.IoT
This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.
The tag is: misp-galaxy:botnet="Dark.IoT"
Dark.IoT has relationships with:
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
Links |
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/ |
KmsdBot
Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.
The tag is: misp-galaxy:botnet="KmsdBot"
Links |
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware |
HinataBot
Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.
The tag is: misp-galaxy:botnet="HinataBot"
HinataBot has relationships with:
-
similar: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
Links |
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot |
3ve
3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.
The tag is: misp-galaxy:botnet="3ve"
Links |
7777-Botnet
7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 2–3 login requests per week, the botnet is able to evade most security solutions.
The tag is: misp-galaxy:botnet="7777-Botnet"
Links |
https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd |
Amadey
Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.
The tag is: misp-galaxy:botnet="Amadey"
Links |
AndroidBauts
AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.
The tag is: misp-galaxy:botnet="AndroidBauts"
Links |
Andromeda
Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.
The tag is: misp-galaxy:botnet="Andromeda"
Andromeda is also known as:
-
Gamarue
-
Wauchos
Links |
https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda |
ArrkiiSDK
ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user’s permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.
The tag is: misp-galaxy:botnet="ArrkiiSDK"
Links |
Avalanche
Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.
The tag is: misp-galaxy:botnet="Avalanche"
Links |
https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure |
Bayrob
Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.
The tag is: misp-galaxy:botnet="Bayrob"
Links |
Bedep
Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.
The tag is: misp-galaxy:botnet="Bedep"
Links |
Bolek
Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.
The tag is: misp-galaxy:botnet="Bolek"
Bolek has relationships with:
-
similar: misp-galaxy:botnet="KBOT" with estimative-language:likelihood-probability="likely"
Links |
https://www.bitsight.com/blog/bolek-an-evolving-botnet-targets-poland-and-ukraine |
Carna
The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.
The tag is: misp-galaxy:botnet="Carna"
Links |
Code Shikara
Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.
The tag is: misp-galaxy:botnet="Code Shikara"
Links |
Condi
DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.
The tag is: misp-galaxy:botnet="Condi"
Links |
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 |
Cooee
Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.
The tag is: misp-galaxy:botnet="Cooee"
Links |
Coreflood
Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.
The tag is: misp-galaxy:botnet="Coreflood"
Links |
Crackonosh
In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.
The tag is: misp-galaxy:botnet="Crackonosh"
Links |
https://finance.yahoo.com/news/monero-mining-malware-crackonosh-infected-192448133.html |
FluBot
FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.
The tag is: misp-galaxy:botnet="FluBot"
FluBot is also known as:
-
Cabassous
-
FakeChat
Links |
FritzFrog
FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.
The tag is: misp-galaxy:botnet="FritzFrog"
Links |
Gootkit
Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.
The tag is: misp-galaxy:botnet="Gootkit"
Links |
Great Cannon
The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user’s web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University’s Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.
The tag is: misp-galaxy:botnet="Great Cannon"
Links |
Hail Mary Cloud
The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.
The tag is: misp-galaxy:botnet="Hail Mary Cloud"
Links |
Joker
Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.
The tag is: misp-galaxy:botnet="Joker"
Links |
KBOT
KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.
The tag is: misp-galaxy:botnet="KBOT"
Links |
https://cofense.com/blog/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/ |
Linux.Darlloz
Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.
The tag is: misp-galaxy:botnet="Linux.Darlloz"
Links |
https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/ |
Marcher
Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.
The tag is: misp-galaxy:botnet="Marcher"
Links |
https://www.securityweek.com/thousands-android-devices-infected-marcher-trojan/ |
Matsnu
Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.
The tag is: misp-galaxy:botnet="Matsnu"
Links |
https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/ |
Methbot
Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.
The tag is: misp-galaxy:botnet="Methbot"
Links |
Metulji
The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.
The tag is: misp-galaxy:botnet="Metulji"
Links |
Mevade
The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.
The tag is: misp-galaxy:botnet="Mevade"
Mevade is also known as:
-
Sefnit
-
SBC
Links |
MobiDash
MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.
The tag is: misp-galaxy:botnet="MobiDash"
Links |
Mutabaha
Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.
The tag is: misp-galaxy:botnet="Mutabaha"
Links |
MyDoom
MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.
The tag is: misp-galaxy:botnet="MyDoom"
Links |
Necurs
The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet’s activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.
The tag is: misp-galaxy:botnet="Necurs"
Links |
Nitol
The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.
The tag is: misp-galaxy:botnet="Nitol"
Links |
Nymaim
Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload – banker module (responsible for web injects – passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).
The tag is: misp-galaxy:botnet="Nymaim"
Links |
PBot
PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.
The tag is: misp-galaxy:botnet="PBot"
PBot is also known as:
-
PythonBot
Links |
https://www.malwarebytes.com/blog/news/2018/04/pbot-python-based-adware |
Pirrit
Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.
The tag is: misp-galaxy:botnet="Pirrit"
Links |
Pitou
Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.
The tag is: misp-galaxy:botnet="Pitou"
Links |
Prometei
Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary’s part. Prometei is just one of these types of networks that focuses on Monero mining.
The tag is: misp-galaxy:botnet="Prometei"
Links |
https://blog.talosintelligence.com/prometei-botnet-and-its-quest-for-monero/ |
PrizeRAT
PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user’s permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.
The tag is: misp-galaxy:botnet="PrizeRAT"
Links |
Pushlran
Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.
The tag is: misp-galaxy:botnet="Pushlran"
Links |
Pykspa
Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.
The tag is: misp-galaxy:botnet="Pykspa"
Links |
Qsnatch
Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.
The tag is: misp-galaxy:botnet="Qsnatch"
Links |
Remaiten
Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.
The tag is: misp-galaxy:botnet="Remaiten"
Links |
Retadup
Retadup is a worm affecting Windows machines primarily throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. The French law enforcement agency, National Gendarmerie, in 2019 announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers.
The tag is: misp-galaxy:botnet="Retadup"
Links |
https://thehackernews.com/2019/08/retadup-botnet-malware.html |
RootSTV
RootSTV is a trojan and downloader for Android devices, mainly SmartTVs. RootSTV downloads additional malicious programs from a server and executes them without the user’s consent.
The tag is: misp-galaxy:botnet="RootSTV"
Links |
Rovnix
Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast. The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers. A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.
The tag is: misp-galaxy:botnet="Rovnix"
Links |
https://www.theregister.com/2014/11/06/rovnix_trojan_outbreak/ |
Slenfbot
Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm’s payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.
The tag is: misp-galaxy:botnet="Slenfbot"
Links |
Stacheldraht
Stacheldraht is malware which performs a distributed denial-of-service (DDoS) attack. Stacheldraht uses a number of different denial-of-service (DoS) attack methods, including Ping flood, UDP flood, TCP SYN flood, and Smurf attack. Further, it can detect and automatically enable source address forgery. Adding encryption, it combines features of Trinoo and of Tribe Flood Network. The software runs on both Linux and Solaris.
The tag is: misp-galaxy:botnet="Stacheldraht"
Links |
Suppobox
Suppobox is a trojan that intercepts any network traffic connected with a monetary transaction when users buy or sell products online. The malware focuses on auction websites.
The tag is: misp-galaxy:botnet="Suppobox"
Suppobox is also known as:
-
Bayrob
-
Nivdort
Links |
Triada
Triada is a trojan for Android devices. Triada’s primary function is to record text messages. For example, it intercepts in-app purchases via text message and redirects payments made. Triada downloads other malware from a server and runs these programs.
The tag is: misp-galaxy:botnet="Triada"
Triada is also known as:
-
APK. Triada
Links |
Trinoo
Trinoo is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.
The tag is: misp-galaxy:botnet="Trinoo"
Trinoo is also known as:
-
trin00
Links |
Zemra
Zemra is a DDoS Bot which was first discovered in underground forums in May 2012. Zemra is capable of HTTP and SYN Flood flooding and also has a simple Command & Control panel that is protected with 256-bit DES encryption for communicating with its command and control (C&C) server. Zemra also sends information such as Computer name, Language settings, and Windows version. It will send this data to a remote location on a specific date and time. It also opens a backdoor on TCP port 7710 to receive commands from a remote command-and-control server, and it is able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary.
The tag is: misp-galaxy:botnet="Zemra"
Links |
Ztorg
Ztorg is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user’s permission, and the collection of data on the mobile phone, such as its location and contacts. Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.
The tag is: misp-galaxy:botnet="Ztorg"
Links |
Quad7
The tag is: misp-galaxy:botnet="Quad7"
Quad7 is also known as:
-
7777
Links |
https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router |
https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd |
63256 botnet
The tag is: misp-galaxy:botnet="63256 botnet"
Links |
https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router |
Branded Vulnerability
List of known vulnerabilities and attacks with a branding.
Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown
Meltdown
Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.
The tag is: misp-galaxy:branded-vulnerability="Meltdown"
Spectre
Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.
The tag is: misp-galaxy:branded-vulnerability="Spectre"
Heartbleed
Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.
The tag is: misp-galaxy:branded-vulnerability="Heartbleed"
Shellshock
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The tag is: misp-galaxy:branded-vulnerability="Shellshock"
Ghost
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.
The tag is: misp-galaxy:branded-vulnerability="Ghost"
Stagefright
Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.
The tag is: misp-galaxy:branded-vulnerability="Stagefright"
Badlock
Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.
The tag is: misp-galaxy:branded-vulnerability="Badlock"
Dirty COW
Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.
The tag is: misp-galaxy:branded-vulnerability="Dirty COW"
POODLE
The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.
The tag is: misp-galaxy:branded-vulnerability="POODLE"
BadUSB
The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.
The tag is: misp-galaxy:branded-vulnerability="BadUSB"
ImageTragick
The tag is: misp-galaxy:branded-vulnerability="ImageTragick"
Blacknurse
Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.
The tag is: misp-galaxy:branded-vulnerability="Blacknurse"
SPOILER
SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.
The tag is: misp-galaxy:branded-vulnerability="SPOILER"
Links |
https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/ |
BlueKeep
A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware
The tag is: misp-galaxy:branded-vulnerability="BlueKeep"
Links |
https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/ |
Cert EU GovSector
Cert EU GovSector.
Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Various
Constituency
The tag is: misp-galaxy:cert-eu-govsector="Constituency"
EU-Centric
The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"
EU-nearby
The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"
World-class
The tag is: misp-galaxy:cert-eu-govsector="World-class"
Unknown
The tag is: misp-galaxy:cert-eu-govsector="Unknown"
Outside World
The tag is: misp-galaxy:cert-eu-govsector="Outside World"
China Defence Universities Tracker
The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre..
China Defence Universities Tracker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Australian Strategic Policy Institute
Academy of Military Science (中国人民解放军军事科学院)
AMS is responsible for leading and coordinating military science for the whole military. AMS is involved in not only the development of theory, strategy, and doctrine but also advancing national defense innovation. Pursuant to the PLA reforms, AMS has undergone dramatic changes starting in June 2017. At a July 2017 ceremony marking the AMS’s reorganisation, Xi urged the AMS to construct a ‘world-class military scientific research institution.’ Through the National Defence Science and Technology Innovation Institute, the AMS is pursuing research in cutting-edge technologies including unmanned systems, artificial intelligence, biotechnology and quantum technology.
The tag is: misp-galaxy:china-defence-universities="Academy of Military Science (中国人民解放军军事科学院)"
Links |
https://unitracker.aspi.org.au/universities/academy-of-military-science |
Aero Engine Corporation of China (中国航空发动机集团有限公司)
AECC is a leading producer of aircraft parts for the People’s Liberation Army (PLA), having separated from its parent company the Aviation Industry Corporation of China (AVIC) in 2016. The company reports having 27 affiliated or subordinate companies, three major listed companies, and 84,000 staff. AVIC and the Commercial Aircraft Corporation of China (also known as COMAC) are major shareholders in AECC.AECC’s main products include aircraft engines, combustion gas turbines, and transmission systems. AECC also develops aircraft power units, helicopter drive systems, monocrystalline blades, turbine disks, and graphene.AECC was established in order to improve China’s capability in developing domestically built aircraft engines as part of the ‘Made in China 2025’ program. A priority is strengthening its supply chains within China. Though indigenously developed engines have proven challenging for AECC, the company had purported success in providing thrust vector control technology for the J-10B fighter jet.
The tag is: misp-galaxy:china-defence-universities="Aero Engine Corporation of China (中国航空发动机集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/aero-engine-corporation-of-china |
Air Force Command College (中国人民解放军空军指挥学院)
The PLA Air Force Command College in Beijing is considered the PLA Air Force’s ‘peak institution for educating mid-rank and senior officers’ for command posts across the service. The college has a long history and was initially established in Nanjing during the early years of the People’s Republic in 1958.The Air Force Command College offers a range of degree programmes, mainly at the postgraduate level, including training in military disciplines such as military history, strategy, and tactics. It has published research on control science and radar. The college’s other specialties include battlefield command, military operations as well as political–ideological education.
The tag is: misp-galaxy:china-defence-universities="Air Force Command College (中国人民解放军空军指挥学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-command-college |
Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)
The Air Force Communications Officers Academy is the PLA’s premier institution for the training of non-commissioned officers in communications systems and security. Established in 1986 as the Dalian Communications NCO College, the institution was renamed after Xi Jinping’s military reforms in 2017. The academy’s areas of research include command automation and satellite communications, along with wired and wireless communications.
The tag is: misp-galaxy:china-defence-universities="Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)"
Links |
https://unitracker.aspi.org.au/universities/air-force-communications-officers-college |
Air Force Early Warning Academy (中国人民解放军空军预警学院)
The Air Force Early Warning Academy is ‘an institution that trains military personnel from the PLA Air Force and Navy’s radar and electronic warfare units in command, engineering and technology’ that was established after the amalgamation of the Air Defence Academy and Radar College in 1958. As such, the Air Force Early Warning Academy focuses its research on radar engineering, information command systems engineering, networked command engineering, and early warning detection systems.
The tag is: misp-galaxy:china-defence-universities="Air Force Early Warning Academy (中国人民解放军空军预警学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-early-warning-academy |
Air Force Engineering University (中国人民解放军空军工程大学)
The Air Force Engineering University (AFEU) is one of the PLA’s five comprehensive universities alongside NUDT, Naval Engineering University, PLA Information Engineering University and Army Engineering University. It trains students in a variety of engineering and military disciplines related to air combat.AFEU currently has around 8,000 students, including 1,600 postgraduate students. Its priority areas include technical studies in information and communication systems engineering as well as in social sciences such as in professional military training. Research into unmanned aerial vehicle technology is another important area of research at the university. In 2017, China’s Ministry of Education ranked AFEU equal fourth for armament science out of nine universities, only awarding it a B- grade for the discipline.Colleges under AFEU include:
The tag is: misp-galaxy:china-defence-universities="Air Force Engineering University (中国人民解放军空军工程大学)"
Links |
https://unitracker.aspi.org.au/universities/air-force-engineering-university |
Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)
Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)
The tag is: misp-galaxy:china-defence-universities="Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-flight-academy-shijiazhuang |
Air Force Harbin Flight Academy (空军哈尔滨飞行学院)
The Academy is home to the Air Force Harbin Flight Academy Simulation Training Center, 2,500m2 large-scale aircraft simulator where students can train in simulated transport and bomber aircraft. The Academy hopes to continue developing the Simulation Training Center into a ‘laboratory for air operations,’ including advanced trainings like simulated tactical confrontations.
The tag is: misp-galaxy:china-defence-universities="Air Force Harbin Flight Academy (空军哈尔滨飞行学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-harbin-flight-academy |
Air Force Logistics University (中国人民解放军空军后勤学院)
The Air Force Logistics University is an institution devoted to the study of command, management and technology for the PLA, established in Shanxi by the Central Military Commission in 1954. The university focusses its research on ‘management engineering’ for military equipment such as weaponry and aircraft fuel and also maintains research programmes on air battle command and personnel management.
The tag is: misp-galaxy:china-defence-universities="Air Force Logistics University (中国人民解放军空军后勤学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-logistics-university |
Air Force Medical University (中国人民解放军空军军医大学)
The Air Force Medical University, also known as the Fourth Military Medical University, is the PLA’s premier institution for research into medical and psychological sciences, having been placed under command of the Air Force after Xi Jinping’s military reforms in 2017. Its major areas of study are medical and psychological sciences tailored for personnel engaging in air and space operations, military preventative medicine and various other forms of clinical research.The Air Force Medical University conducts significant amounts of psychological research. Scientists from the Air Force Medical University have written studies on suicide, mental health across China, and mental health in military universities. The university’s scientists have also looked at the extent to which mindfulness training can reduce anxiety for undergraduates at military universities, and at how fear induced by virtual combat scenarios impacts decision-making. This indicates that the university is interested in issues of troop morale and decision-making in high-stress situations.
The tag is: misp-galaxy:china-defence-universities="Air Force Medical University (中国人民解放军空军军医大学)"
Links |
https://unitracker.aspi.org.au/universities/fourth-military-medical-university |
Air Force Research Institute (中国人民解放军空军研究院)
The Air Force Research Institute is an air force scientific research institute, the successor to the Air Force Equipment Academy (空军装备研究院), that was established in 2017. The institute runs the Key Laboratory of Complex Aviation System Simulation (复杂航空系统仿真国防重点实验室) and carries out research on areas such as aircraft design, flight control, guidance and navigation, and electronic countermeasures.
The tag is: misp-galaxy:china-defence-universities="Air Force Research Institute (中国人民解放军空军研究院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-research-institute |
Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)
Created upon the merger of the PLA Air Force’s Second and Fifth Flight Academies in 2011, the Air Force Xi’an Flight Academy specialises in training airmen in aviation while passing on the PLA’s ‘revolutionary traditions’. It remains ‘one of the Air Force’s three advanced institutions in air combat, and is known to train the PLA Air Force’s JJ-7 fighter pilots. Given this focus on training, the institution engages in little scientific research.
The tag is: misp-galaxy:china-defence-universities="Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)"
Links |
https://unitracker.aspi.org.au/universities/air-force-xian-flight-academy |
Anhui University (安徽大学)
Anhui University is overseen by the Anhui Provincial Government. In January 2019, defence industry agency SASTIND and the Anhui Provincial Government signed an agreement to jointly develop Anhui University. This agreement with SASTIND suggests that the university will increase its role in defense research in the future.
The tag is: misp-galaxy:china-defence-universities="Anhui University (安徽大学)"
Links |
https://unitracker.aspi.org.au/universities/anhui-university |
Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)
The Army Academy of the Armored Forces is China’s lead institute responsible for training and research for armoured combat. This includes a focus on tank warfare, mechanised artillery and infantry operations. The academy offers training in ‘armored combat command, surveillance and intelligence, operational tactics’ as well as in engineering disciplines relevant to operations involving the PLA Ground Force’s armoured corps, such as materials science, mechanical engineering, electrical engineering and automation, communications engineering, weapons systems engineering and photoelectric information science.
The tag is: misp-galaxy:china-defence-universities="Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-academy-of-armored-forces |
Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)
The Army Academy of Artillery and Air Defense is an institution devoted to training artillery and air defence officers in the PLA Ground Force. Its areas of focus include electrical engineering and automation, munitions engineering and explosives technology, radar engineering, and missile engineering.
The tag is: misp-galaxy:china-defence-universities="Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-academy-of-artillery-and-air-defense |
Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)
With a history dating back to 1941, the Army Academy of Border and Coastal Defense is the only institution of higher education devoted to training PLA Ground Force personnel in border and coastal defence operations. Its subjects of focus include firepower command and control engineering, and command information systems engineering.
The tag is: misp-galaxy:china-defence-universities="Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)"
Links |
https://unitracker.aspi.org.au/universities/army-academy-of-border-and-coastal-defense |
Army Aviation College (中国人民解放军陆军航空兵学院)
The Army Aviation College is the PLA’s institution responsible for training mid-career helicopter pilots from the PLA Air Force and aviation officers from the PLA Ground Force. The college’s subject areas include aircraft and engine design, aviation communications and air defence systems, flight radar maintenance engineering, and combat aircraft maintenance engineering.
The tag is: misp-galaxy:china-defence-universities="Army Aviation College (中国人民解放军陆军航空兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-aviation-college |
Army Engineering University (中国人民解放军陆军工程大学)
The Army Engineering University was established in 2017 following the abolition of the PLA University of Science and Technology. The university is devoted to research on ‘engineering, technology and combat command systems’ for the PLA Land Force.The university’s areas of research include:
The tag is: misp-galaxy:china-defence-universities="Army Engineering University (中国人民解放军陆军工程大学)"
Links |
https://unitracker.aspi.org.au/universities/army-engineering-university |
Army Infantry Academy (中国人民解放军陆军步兵学院)
The Army Infantry Academy is a higher education institution in China devoted to providing elementary training in command for infantry soldiers in the PLA Ground Force. The academy teaches courses in operational disciplines such as command information systems engineering, armored vehicles engineering and weapons systems engineering. As well as providing formal teaching, the Army Infantry Academy also provides oversight for training exercises and electronic warfare simulations.
The tag is: misp-galaxy:china-defence-universities="Army Infantry Academy (中国人民解放军陆军步兵学院)"
Links |
https://unitracker.aspi.org.au/universities/army-infantry-academy |
Army Medical University (中国人民解放军陆军军医大学)
The PLA Army Medical University, formerly known as the Third Military Medical University, is a medical education university affiliated with the PLA Ground Force. It was formed in 2017 through a merger with the PLA Western Theater Command Urumqi Comprehensive Training Base’s Military Medical Training Brigade and the Tibet Military Region’s Eighth Hospital. The Army Medical University includes six national key laboratories and 32 Ministry of Education or military key laboratories. It has won military awards for science and technology progress and seven national science and technology prizes.
The tag is: misp-galaxy:china-defence-universities="Army Medical University (中国人民解放军陆军军医大学)"
Links |
https://unitracker.aspi.org.au/universities/army-medical-university |
Army Military Transportation Academy (中国人民解放军陆军军事交通学院)
The Army Military Transport Academy is a higher education institution devoted to training PLA Ground Force personnel in military transport and logistics. The academy focusses on military transport command engineering, command and automation engineering, ordnance engineering, and armament sustainment command.
The tag is: misp-galaxy:china-defence-universities="Army Military Transportation Academy (中国人民解放军陆军军事交通学院)"
Links |
https://unitracker.aspi.org.au/universities/army-military-transportation-academy-2 |
Army Research Institute (中国人民解放军陆军研究院)
The Army Research Institute is an institution devoted to advanced defence research with applications to land warfare. The institute engages in a variety of defence research including radar technology, lasers, and hybrid electric vehicles. Researchers from the institute are known to have collaborated with partners from China’s civilian universities in areas such as advanced manufacturing and automatic control, and laser technology.The Army Research Institute collaborates with civilian companies as part of China’s military-civil fusion program. For example, General Guo Guangsheng from the Army Research Institute made a visit to Hong Run Precision Instruments Co. Ltd. (虹润精密仪器有限公司) on 24 August 2019 to assess how the company was performing in its military-civil fusion activities. Researchers from the Army Research Institute have also been involved in the product design and development of dual-use automobiles as part of a military-civil fusion project called ‘Research, Development and Commerialisation of Advanced Off-road Passenger Vehicles’ (新一代军民通用高端越野乘用汽车研发及产业化). The project included research into vehicles such as the BJ80 military and civilian off-road passenger vehicles as well as the BJ40L off-road vehicle.
The tag is: misp-galaxy:china-defence-universities="Army Research Institute (中国人民解放军陆军研究院)"
Links |
https://unitracker.aspi.org.au/universities/army-research-institute |
Army Service Academy (中国人民解放军陆军勤务学院)
The Army Service Academy is an institution of higher education in the PLA devoted to training personnel in a variety of logistics disciplines. The logistics disciplines taught at the academy include: fuel logistics, military facility management, military procurement management, and integrated logistics management. Its areas of focus for defence research include military energy engineering, defence engineering, and management science and engineering.
The tag is: misp-galaxy:china-defence-universities="Army Service Academy (中国人民解放军陆军勤务学院)"
Links |
https://unitracker.aspi.org.au/universities/army-service-academy |
Army Special Operations Academy (中国人民解放军陆军特种作战学院)
The academy’s key subjects include special operations command, surveillance and intelligence, and command information systems engineering.
The tag is: misp-galaxy:china-defence-universities="Army Special Operations Academy (中国人民解放军陆军特种作战学院)"
Links |
https://unitracker.aspi.org.au/universities/army-special-operations-academy |
Aviation Industry Corporation of China (中国航空工业集团有限公司)
AVIC is a state-owned defence conglomerate established in 2008 that focuses on providing aerospace products for military and civilian customers. AVIC’s main product lines include a variety of aircraft for freight, commercial and military aviation along with other more specialised products such as printed circuit boards, liquid crystal displays and automotive parts, according to Bloomberg. AVIC also provides services to the aviation sector through flight testing, engineering, logistics and asset management.The conglomerate has over 400,000 employees and has a controlling share in around 200 companies. AVIC has over 25 subsidiaries listed on its website.AVIC is the PLA Air Force’s largest supplier of military aircraft, producing fighter jets, strike aircraft, unmanned aerial vehicles and surveillance aircraft. Along with its core work on military aircraft, AVIC also produces surface-to-air, air-to-surface and air-to-air missiles. Its headline projects include the J-10 and the J-11 fighter aircraft. AVIC’s subsidiary, the Shenyang Aircraft Corporation, was responsible for delivery of the J-15 fighter. Another subsidiary of AVIC, the Chengdu Aerospace Corporation, developed the PLA-AF’s J-20 stealth fighter jet.
The tag is: misp-galaxy:china-defence-universities="Aviation Industry Corporation of China (中国航空工业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/aviation-industry-corporation-of-china |
Aviation University of Air Force (中国人民解放军空军航空大学)
AUAF is one of China’s main institutions devoted to the training of air force pilots. Its areas of focus are training in flight command and research into aeronautical engineering. Disciplines taught at AUAF include command science and engineering, aerospace science and technology as well as political work and military command.AUAF scientists publish and attend conferences on radar technology and electronic countermeasures. For example, scientists from AUAF’s Information Countermeasures Division co-authored a publication on radar target recognition with a researcher from the PLA’s Unit 94936 – an aviation unit stationed in Hangzhou. AUAF scientists have also done notable work on complex systems radar and signal pre-sorting.
The tag is: misp-galaxy:china-defence-universities="Aviation University of Air Force (中国人民解放军空军航空大学)"
Links |
https://unitracker.aspi.org.au/universities/aviation-university-of-air-force |
Beihang University (北京航空航天大学)
Beihang University engages in very high levels of defence research as one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. The university specialises in aviation and spaceflight research. The top four employers of Beihang graduates in 2018 were all state-owned missile or defence aviation companies. In total, 29% of 2018 Beihang graduates who found employment were working in the defence sector.Beihang scientists are involved in the development of Chinese military aircraft and missiles. In 2018, the university signed a comprehensive strategic cooperation agreement with China Aerospace Science and Technology Corporation, a state-owned conglomerate that produces ballistic missiles and satellites. The university is also noteworthy for its leading research on stealth technology.Beihang hosts at least eight major defence laboratories working on fields such as aircraft engines, inertial navigation and fluid dynamics.
The tag is: misp-galaxy:china-defence-universities="Beihang University (北京航空航天大学)"
Links |
https://unitracker.aspi.org.au/universities/beihang-university |
Beijing Electronic Science and Technology Institute (北京电子科技学院)
BESTI is a secretive university that trains information security experts for the bureaucracy. The institute is the only university run by the CCP General Office, which manages administrative matters for the Central Committee. The General Office is usually run by one of the general secretary’s most trusted aides. It oversees China’s cryptographic and state secrets agency as well as security for the party’s leadership.BESTI has a student population of around 2,000 and has strict admission requirements. Students at the university are scrutinized for their political beliefs, and are typically CCP or Communist Youth League members. The activities of their relatives are screened for political issues. Having no parents or siblings who worked abroad or were involved in ‘illegal organisations’ is a condition of enrolment. The institute claims to count 50 ministerial-level party officials among its 12,000 graduates.BESTI has a close relationship with Xidian University and Beijing University of Posts and Telecommunications. The two universities are its primary collaborators on scientific papers. BESTI runs joint master’s programs with Xidian University in cryptography, information and communication engineering, and computer applications technology. It also has joint doctoral programs with the University of Science and Technology of China and Beijing University of Posts and Telecommunications in cybersecurity.The university runs the Key Laboratory of Information Security (信息安全重点实验室/信息安全与保密重点实验室). Several websites claim that it runs a joint laboratory with the Chinese Academy of Sciences Institute of High Energy Physics, but this could not be confirmed.
The tag is: misp-galaxy:china-defence-universities="Beijing Electronic Science and Technology Institute (北京电子科技学院)"
Links |
https://unitracker.aspi.org.au/universities/beijing-electronic-science-and-technology-institute |
Beijing Institute of Technology (北京理工大学)
BIT is one of the ‘Seven Sons of National Defence’ supervised by MIIT. It is a leading centre of military research and one of only fourteen institutions accredited to award doctorates in weapons science. In 2017, China’s Ministry of Education ranked BIT and Nanjing University of Science and Technology as the country’s top institutions for weapons science. It has received the most defence research prizes and defence patents out of all China’s universities. 31.80% of BIT graduates in 2018 who found employment were working in the defence sector.BIT’s claimed achievements include producing the PRC’s first light tank, first two-stage solid sounding rocket and first low-altitude altimetry radar. The university also states that it carries out world-class research on several areas of missile technology including “precision strikes, high damage efficiency, maneuver penetration, long-range suppression, and military communications systems and counter-measures”. In 2018, BIT announced that it was running a four-year experimental program training some of China’s top high school students in intelligent weapons systems.BIT is the chair of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).BIT’s central role in advancing PLA warfighting capability is demonstrated by the fact that it participated in the development of equipment used by 22 of the 30 squads in the 2009 military parade for the 60th anniversary of the founding of the PRC.
The tag is: misp-galaxy:china-defence-universities="Beijing Institute of Technology (北京理工大学)"
Links |
https://unitracker.aspi.org.au/universities/beijing-institute-of-technology |
Beijing University of Chemical Technology (北京化工大学)
BUCT is subordinate to the Ministry of Education. The university engages in high levels of defence research. In 2016, the Ministry of Education and defence industry agency SASTIND agreed to jointly construct BUCT, a move designed to expand its involvement in defence research.Between 2011 and 2015, the university’s spending on defence research reached RMB272 million (AUD56 million), approximately 15% of the university’s research spending and an increase of around 50% over the previous five years.BUCT specialises in the development and application of critical materials for the defence industry. Its research on carbon fibres has been applied to the aerospace industry.BUCT holds secret-level security credentials, allowing it to participate in classified defence and weapons technology projects.
The tag is: misp-galaxy:china-defence-universities="Beijing University of Chemical Technology (北京化工大学)"
Links |
https://unitracker.aspi.org.au/universities/beijing-university-of-chemical-technology |
Beijing University of Posts and Telecommunications (北京邮电大学)
BUPT is subordinate to the Ministry of Education in addition to being jointly constructed by the Ministry of Industry and Information Technology. BUPT is one of eight Chinese universities known to have received top-secret security credentials. Since its establishment, the university has focused on information engineering and computer science, and has continued to produce important defence and security technology research.The School of Cyberspace Security is home to one of the university’s two defence laboratories—the Key Laboratory of Network and Information Attack & Defense Technology of Ministry of Education—which carries out research for the Chinese military related to cyber attacks.BUPT is a member of several military-civilian fusion (MCF) alliances and has been awarded for its contributions to MCF and the PLA. During the past three years, major employers of BUPT graduates include the Ministry of State Security, the Ministry of Public Security and MIIT. This suggests a close relationship between BUPT and China’s security and intelligence agencies.
The tag is: misp-galaxy:china-defence-universities="Beijing University of Posts and Telecommunications (北京邮电大学)"
Links |
https://unitracker.aspi.org.au/universities/beijing-university-of-posts-and-telecommunications |
Central South University (中南大学)
Out of all universities subordinate to the MOE, CSU reportedly receives the most military research funding and was the first to receive a weapons production license. In 2008 and 2011 respectively, the defence industry agency SASTIND and the Ministry of Education (MOE) signed agreements to jointly supervise CSU. Under this arrangement, SASTIND committed to expanding CSU’s involvement in defence research and support the development of its School of Aeronautics and Astronautics and Military Industry Technology Research Institute.CSU’s defence research appears to focus on metallurgy, materials science, and aviation technology, including the development of heat-resistant materials for aeroplane and rocket engines. The university has been involved in the development of China’s first atomic bomb, first intermediate-range ballistic missile, and first nuclear submarine. In 2018, it signed a strategic cooperation agreement with the Chinese Academy of Launch Vehicle Technology, a subsidiary of China Aerospace Science and Technology Corporation that is included on the US BIS Entity List for its involvement in developing rockets.
The tag is: misp-galaxy:china-defence-universities="Central South University (中南大学)"
Links |
https://unitracker.aspi.org.au/universities/central-south-university |
Changchun University of Science and Technology (长春理工大学)
CUST is primarily supervised by the Jilin Provincial Government but has also been under the administration of SASTIND and its predecessors for over 30 years over its history. The university specialises in photoelectric technology and has a strong focus on defence research. CUST describes itself as having ‘safeguarding national defence as its sublime responsibility and sacred mission.’CUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armaments science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). In April 2018, CUST established the School of Artificial Intelligence (人工智能学院) and the Artificial Intelligence Research Institute (人工智能研究院 ). CUST researchers working on AI are likely involved in research related to facial recognition technology.
The tag is: misp-galaxy:china-defence-universities="Changchun University of Science and Technology (长春理工大学)"
Links |
https://unitracker.aspi.org.au/universities/changchun-university-of-science-and-technology |
China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)
CARDC claims to be China’s largest aerodynamics research and testing base. It hosts the State Key Laboratory of Aerodynamics (空气动力学国家重点实验室), which includes five wind tunnels and a large computer cluster. CARDC is heavily involved in research on hypersonics.While CARDC is a military unit, its website does not mention this. The PLA officers leading the facility are instead pictured on its website in civilian clothes(pictured: CARDC director, Major General Fan Zhaolin (范召林) in uniform (above) and in civilian attire on CARDC’s website (below).
The tag is: misp-galaxy:china-defence-universities="China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)"
Links |
https://unitracker.aspi.org.au/universities/china-aerodynamics-research-and-development-center |
China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)
CASIC specialises in defence equipment and aerospace products, particularly short- and medium-range missiles. CASIC is a leading provider to the Chinese military of high-end capabilities such as air-defence, cruise, and ballistic missile systems along with space launch vehicles, micro-satellites and anti-satellite interceptors, according to Mark Stokes and Dean Cheng. CASIC employs over 146,000 employees and is on the Fortune 500 list with revenue exceeding USD37 billion (AUD55 billion).Although defence products form part of CASIC’s main product line, the company also produces products for civilian customers such as electronics, communications equipment and medical equipment. Nevertheless, CASIC claims that it ‘will always uphold its core value of ranking national interests above all’, which indicates that civilian products receive less priority than defence equipment.
The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-industry-corporation |
China Aerospace Science and Technology Corporation (中国航天科技集团)
CASC was established in 1999 as a defence aerospace conglomerate. The company is primarily focused on ‘developing carrier rockets, various kinds of satellites, … and tactical missile systems.’ With revenues nearing USD38 billion (AUD55 billion), CASC employs nearly 180,000 personnel and is on the Fortune 500 list.PLA experts Mark Stokes and Dean Cheng have noted that CASC’s main products for the PLA include ‘ballistic missiles and space launch vehicles, large solid rocket motors, liquid fuelled engines, satellites, and related sub-assemblies and components.’ The Federation of American Scientists claims CASC is particularly advanced in high-energy propellant technology, satellite applications, strap-on boosters and system integration.CASC maintains an investment business which may be geared towards civilian purposes, according to Bloomberg. The Federation of American Scientists notes that some civilian product lines for CASC include ‘machinery, chemicals, communications equipment, transportation equipment, computers, medical care products and environmental protection equipment.’CASC oversees multiple research academies, which have been separately identified by Mark Stokes and Dean Cheng and by the Nuclear Threat Initiative.The Nuclear Threat Initiative has identified that CASC has the following subordinate companies:
The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Technology Corporation (中国航天科技集团)"
Links |
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-technology-corporation |
China Coast Guard Academy (中国人民武装警察部队海警学院)
The China Coast Guard Academy is an institution of higher learning that trains personnel for entry into China’s maritime border defence agency. The academy teaches conducts research and training in maritime law enforcement, warship technology as well as surveillance and intelligence disciplines.The China Coast Guard Academy established the Large Surface Vessel Operation and Simulation Laboratory (大型船艇操纵仿真实验室) in 2016, which focuses on the development of white-hulled boats for the China Coast Guard.
The tag is: misp-galaxy:china-defence-universities="China Coast Guard Academy (中国人民武装警察部队海警学院)"
Links |
https://unitracker.aspi.org.au/universities/china-coast-guard-academy |
China Electronics Corporation (中国电子信息产业集团有限公司)
CEC is a state-owned conglomerate that produces dual-use electronics. The company was established in 1989 to produce semi-conductors, electronic components, software and telecommunications products. The company describes itself as a defence industry conglomerate.CEC is one of China’s largest companies with nearly 120 thousand employees. CEC claims to hold 22 subordinate enterprises and 14 listed companies. Global Security has provided a list of CEC’s 36 member companies in English.CEC is divided into two operational groups. First is the China Electronics Party Institute (中国电子党校), which provides disciplinary oversight and organises communist party activities within CEC. Second is the Science and Technology Committee (科学技术委员会), which is responsible for research and development within CEC.CEC’s defence electronics are developed by the Military Engineering Department (军工部) within CEC’s Science and Technology Committee. Key defence electronics produced by CEC include tracking stations, radar technology, as well as command and control systems. The company maintains its own office for the management of classified information related to defence research. The Federation of American Scientists has identified CEC’s defence-related enterprises on a list that can be found here.
The tag is: misp-galaxy:china-defence-universities="China Electronics Corporation (中国电子信息产业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-electronics-corporation |
China Electronics Technology Group Corporation (中国电子科技集团公司)
CETC is a state-owned defence conglomerate that specialises in dual-use electronics. The company was established in 2002 by bringing dozens of research institutes administered by the Ministry of Information Industry, the predecessor to the Ministry of Industry and Information Technology, under one umbrella.CETC is one of the world’s largest defence companies. It claims to have 523 subordinate units and companies and 160,000 employees.CETC divides its defence electronics products into seven categories: air base early warning, integrated electronic information systems, radar, communication and navigation, electronic warfare, UAVs and integrated IFF (identification, friend or foe). CETC also provides technology used for human rights abuses in Xinjiang, where approximately 1.5m are held in re-education camps.Several CETC research institutes and subsidiaries have been added to the US Government’s entity list, restricting exports to them on national security grounds. CETC has been implicated by the US Department of Justice in at least three cases of illegal exports.CETC has a large international market and has also expanded its international research collaboration in recent years. It has a European headquarters in Graz, Austria, and has invested in the University of Technology Sydney.
The tag is: misp-galaxy:china-defence-universities="China Electronics Technology Group Corporation (中国电子科技集团公司)"
Links |
https://unitracker.aspi.org.au/universities/china-electronics-technology-group-corporation |
China National Nuclear Corporation (中国核工业集团有限公司)
CNCC is the leading state-owned enterprise for China’s civilian and military nuclear programs. It consists of more than 200 subordinate enterprises and research institutes, many of which are listed on the Nuclear Threat Initiative website. In 2018, CNNC took over China’s main nuclear construction company, China Nuclear Engineering and Construction Group (中国核工业建设集团).The company is organized into eight industrial sectors, including nuclear power, nuclear power generation, nuclear fuel, natural uranium, nuclear environmental protection, application of nuclear technologies, non-nuclear civilian products and new energy sources. CNNC is mainly engaged in research and development, design, construction and production operations in the fields of nuclear power, nuclear fuel cycle, nuclear technology application, and nuclear environmental protection engineering.Because of the dual-use nature of nuclear technologies, the nuclear industry is a typical military-civil fusion industry. Naval nuclear power technology and nuclear reactor technology in the reactor core, fuel assembly, safety and security, and radioactive waste treatment all use the same or very similar processes. In March 2019, CNNC established an military-civil fusion fund dedicated to dual-use nuclear technology research and design.Two CNNC subsidiaries have been added to the US Government’s Entity List, restricting exports to them on national security grounds.CNNC has cooperated with U.S. Westinghouse Electric to construct AP1000 nuclear power plants. The company also has a significant overseas presence, signing agreements for joint research with U.S., French, Canadian, U.K., Russian and Argentinian companies.
The tag is: misp-galaxy:china-defence-universities="China National Nuclear Corporation (中国核工业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-national-nuclear-corporation |
China North Industries Group (中国兵器工业集团公司)
Norinco Group was established in 1999 as a state-owned defence conglomerate devoted to the development and production of armaments for Chinese and foreign defence customers. Its main defence products include artillery and tear gas, air defence and anti-missile systems, anti-tank missiles and precision-guided munitions as well as armoured vehicles such as main battle tanks and infantry combat vehicles. Bloomberg reports that Norinco Group’s civilian products include various engineering services and heavy-duty construction equipment. Norinco Group employs over 210,000 personnel, has revenues exceeding US$68.8 billion and is listed on the Fortune 500.Norinco Group has hundreds of subsidiaries and subordinate research institutes in China and around the world that have been catalogued by the International Peace Information Service and Omega Research Foundation in their working paper on the company and on Norinco Group’s website.Norinco Group’s Institute of Computer Application Technology (中国兵器工业计算机应用技术研究所) was one of the first adopters of internet technology and remains a leading company for research into network security. The institute hosts four internet research centres and is reported to work with the National Administration for State Secrets Protection (国家保密局) on the Information Security and Testing and Evaluation Centre (涉密信息系统安全保密测评中心).
The tag is: misp-galaxy:china-defence-universities="China North Industries Group (中国兵器工业集团公司)"
Links |
https://unitracker.aspi.org.au/universities/china-north-industries-group |
China People’s Police University (中国人民警察大学)
The China People’s Police University is an institution of higher learning devoted to training active duty police officers and firefighters in command and management as well as specialist technical officers. The curriculum is separated into two main streams, one for police officers and the other for firefighters. Its police disciplines include immigrant management, entry-exit and border control management, security intelligence, cyber-security, and political work. Its firefighting disciplines include firefighting engineering, electronic information engineering, and nuclear and biochemical fire control.Research facilities at the university include:
The tag is: misp-galaxy:china-defence-universities="China People’s Police University (中国人民警察大学)"
Links |
https://unitracker.aspi.org.au/universities/china-peoples-police-university |
China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)
CSIC was established as one of China’s primary state-owned defence companies on 1 July 1999. CSIC is the PLA Navy’s largest supplier of weapons platforms, accounting for nearly 80 per cent of all armaments. CSIC’s signature products include conventional and nuclear submarines, warships and torpedoes, as well as the Liaoning aircraft carrier program.CSIC maintains a civilian shipbuilding program alongside its program of supplying the PLA Navy. CSIC’s civilian work includes the production of oil and chemical tankers, container ships, bulk carriers and engineering ships.On 2 July 2019, it was announced that CSIC and the China State Shipbuilding Corporation would merge. According to Janes Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’ Nikkei has listed some of CSIC’s main subsidiaries here.
The tag is: misp-galaxy:china-defence-universities="China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-shipbuilding-industry-corporation |
China South Industries Group (中国兵器装备集团有限公司)
CSGC is a leading producer of armaments for the People’s Liberation Army. It was founded in 1999 and works on technologies such as advanced munitions, mobile assault weapons, lights armaments, information optoelectronics and counter-terrorism equipment. CSGC also maintains civilian product lines focused on the oil and energy sector, but most of the company’s attention goes to developing armaments. The company employs nearly 200,000 personnel, its revenue approaches USD34 billion (AUD50 billion) and it is listed as a Fortune 500 company.CSGC holds a controlling share in more than 60 subsidiaries. 32 of these are listed on the company’s website.
The tag is: misp-galaxy:china-defence-universities="China South Industries Group (中国兵器装备集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-south-industries-group |
China State Shipbuilding Corporation (中国船舶工业集团有限公司)
CSCC was established as one China’s primary state-owned weapons companies on 1 July 1999 to build ships for military and civilian customers. CSSC markets itself as as the ‘backbone’ of the Chinese navy and its core products include a variety of warships and support vessels. Alongside its program supporting the PLA Navy, Bloomberg notes that CSSC ‘produces oil tankers, bulk carriers, conditioner vessels, deepwater survey ships, and marine equipment.’On 2 July 2019, it was announced that the China Shipbuilding Industry Corporation and the CSSC would merge. According to Jane’s Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion (AUD178 billion) and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’
The tag is: misp-galaxy:china-defence-universities="China State Shipbuilding Corporation (中国船舶工业集团有限公司)"
Links |
https://unitracker.aspi.org.au/universities/china-state-shipbuilding-corporation |
China University of Geosciences (Wuhan) (中国地质大学)
CUG is subordinate to the Ministry of Education and also supervised by China’s Ministry of Land and Resources. It is actively engaged in defence research and training on geology, hosting the defence-focused Ministry of Education Key Laboratory on Geological Exploration and Evaluation. The laboratory was established in 2018, has 56 staff, and trains students in ‘military geology’.CUG gained secret-level security credentials in 2009, enabling it to participate in classified defence projects.
The tag is: misp-galaxy:china-defence-universities="China University of Geosciences (Wuhan) (中国地质大学)"
Links |
https://unitracker.aspi.org.au/universities/china-university-of-geosciences-wuhan |
China University of Mining and Technology (中国矿业大学)
CUMT is subordinate to the Ministry of Education and specialises in engineering and other mining and industry-related disciplines. It engages in low levels of defence research.CUMT’s defence research revolves around manufacturing and design, materials science, control science, electronic components, power and energy, and bionics. It appears to be involved in the construction and design of underground bunkers for the military. The academic committee of its State Key Laboratory for Geomechanics and Deep Underground Engineering (深部岩石力学与地下工程国家红点实验室) is headed by PLA underground engineering expert Qian Qihu (钱七虎).
The tag is: misp-galaxy:china-defence-universities="China University of Mining and Technology (中国矿业大学)"
Links |
https://unitracker.aspi.org.au/universities/china-university-of-mining-and-technology |
Chinese Academy of Engineering Physics (中国工程物理研究院)
CAEP was founded in 1958 and now has over 24,000 employees. It is headquartered in Mianyang, Sichuan Province, but also has facilities in Chengdu and Beijing. Notably, Mianyang is home to a military-civil fusion (MCF) demonstration base—the Sichuan Mianyang High-Technology City. Sichuan Military District Commander Jiang Yongshen (姜永申) in 2016 stressed the important role that Mianyang plays in China’s larger science and technology development and the significance of its military-civil fusion (MCF) demonstration base.The academy is best known for nuclear weapons, but also carries out research on directed-energy weapons. CAEP’s four main tasks are to develop nuclear weapons, research microwaves and lasers for nuclear fusion ignition and directed-energy weapons, study technologies related to conventional weapons, and deepen military-civil fusion. It claims that its research covers 260 specialising, primarily in the broad areas of physics and mathematics, mechanics and engineering, materials and chemistry, electronics and information, and optics and electrical engineering.CAEP hosts part of the Tianhe-2 supercomputer, one of the worlds fastest supercomputers.Despite the sensitivity of its work, CAEP has expanded its international presence in recent years. It claims to send hundreds of scientists overseas to study or work as visiting scholars. CAEP has also used Chinese government talent recruitment schemes such as the Thousand Talents Plan to recruit dozens of scientists from abroad. By 2015, CAEP had recruited 57 scholars through the Thousand Talents Plan, making it one of the largest recruiters of Thousand Talents Plan scholars.CAEP maintains strong collaborative relationships with Chinese civilian universities. It runs a joint laboratory with the University of Electronic Science and Technology of China and collaborates with universities and research institutions including the Chinese Academy of Sciences, the University of Science and Technology of China, Shandong University, Southwest University of Science and Technology, Sichuan University, Jilin University, Peking University and Tsinghua University. CAEP sponsors postgraduate students in many of these institutions who are required to work there for five years after graduating.
The tag is: misp-galaxy:china-defence-universities="Chinese Academy of Engineering Physics (中国工程物理研究院)"
Links |
https://unitracker.aspi.org.au/universities/chinese-academy-of-engineering-physics |
Chongqing University (重庆大学)
CQU is a leading Chinese research institution subordinate to the Ministry of Education. Chongqing University is home to at least two laboratories devoted to defence research on nanotechnology and control systems. An institution accredited to conduct classified research, Chongqing University is active in improving its security culture with respect to the safeguarding of official secrets.In December 2016, the Ministry of Education entered an agreement with defence industry agency SASTIND to advance military-civil fusion at Chongqing University. Following this agreement, Chongqing University established the defence-focused Ministry of Education Key Laboratory for Complex Systems Safety and Autonomous Control, which works on control systems engineering in May 2018.
The tag is: misp-galaxy:china-defence-universities="Chongqing University (重庆大学)"
Links |
https://unitracker.aspi.org.au/universities/chongqing-university |
Chongqing University of Posts and Telecommunications (重庆邮电大学)
CQUPT is involved in research on wireless network engineering and testing, next-generation wideband wireless communication, computer networking and information security, intelligent information processing, advanced manufacturing, micro-electronics and specialized chip design. It ranks among the top 100 universities in China for science and technology.The university is supervised by the Ministry of Industry and Information Technology and the Chongqing Municipal Government. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Chongqing University of Posts and Telecommunications (重庆邮电大学)"
Links |
https://unitracker.aspi.org.au/universities/chongqing-university-of-posts-and-telecommunications |
Chongqing University of Technology (重庆理工大学)
CQUT is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). However its involvement in defence research does not appear as expansive as the other B8 members and it is a relatively low-ranked university. In 2017, its president stated that ‘Chongqing is an important site for the weapons industry, but its military-industrial research and development ability has not yet upgraded.’ Unlike the other members of the B8, SASTIND does not appear to supervise the university.The university has links to Norinco Group and China South Industries Group, China’s largest weapons manufacturers, and was under the supervision of the conglomerates’ predecessor, China Ordnance Industry Corporation, until 1999. In 2017 and 2018, it signed a partnerships with four local defence companies to collaborate on research and training.In 2011, CQUT received secret-level security credentials, enabling it to participate in classified defence projects.
The tag is: misp-galaxy:china-defence-universities="Chongqing University of Technology (重庆理工大学)"
Links |
https://unitracker.aspi.org.au/universities/chongqing-university-of-technology |
Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)
COMAC was established in 2008 as a state-owned manufacturer of large commercial aircraft. The company oversees eleven subsidiaries that focus on various aspects of aircraft production. A list of COMAC’s subordinate companies can be found in English on the company’s website.Despite its focus on commercial aircraft, China’s Ministry of Industry and Information Technology has referred to it as a defence industry conglomerate. The company maintains strong links to China’s defence industry and some of its leadership is drawn from former executives at state-owned military aircraft and missile manufacturers. China’s leading producer of military aircraft, the Aviation Industry Corporation of China (AVIC), also holds a 10 per cent share in COMAC. COMAC supports the continued development of China’s defence industry by awarding ‘national defence technology scholarships’ to Chinese university students.COMAC’s signature passenger aircraft, the C919, offers an example of how the company could use its civilian aircraft production for military purposes. Numerous Chinese analysts have studied Boeing’s conversion of the 737 into the P-8 Poseidon and E-7A surveillance aircraft and argue that the C919 could also be retrofitted for early warning as well as anti-surface and anti-submarine warfare missions. With a greater flight range than China’s other military aircraft, a retrofitted C919 for maritime surveillance operations could reduce China’s dependence on artificial air bases in the South China Sea which currently render aircraft vulnerable to corrosion due to harsh weather conditions. Vice-Chairman of the Central Military Commission, Zhang Youxia, reportedly expressed an interest in learning from American companies in converting civilian aircraft into military aircraft while inspecting COMAC’s C919.
The tag is: misp-galaxy:china-defence-universities="Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)"
Links |
https://unitracker.aspi.org.au/universities/commercial-aircraft-corporation-of-china |
Criminal Investigation Police University of China (中国刑事警察学院)
CIPUS was founded in May 1948 and underwent several name changes, but was upgraded in 1981 to become the first police university offering a specialised undergraduate degree program. It runs a national engineering laboratory, two MPS key laboratories, and provincial key laboratories. It is focused on training in criminal investigation, criminology science and technology and criminal law.The university also has relationships with companies that provide the technological tools that contribute to the PRC’s public security apparatus. For instance, it has a relationship with the company Haiyun Data on public security intelligence. Haiyun provides data visualization services for MPS bureaus across China.
The tag is: misp-galaxy:china-defence-universities="Criminal Investigation Police University of China (中国刑事警察学院)"
Links |
https://unitracker.aspi.org.au/universities/criminal-investigation-police-university-of-china |
Dalian Minzu University (大连民族大学)
DLMU was established in 1984 as an institution that researches China’s ethnic minorities. The university is overseen by the State Ethnic Affairs Commission (SEAC), the Liaoning Provincial Government and the Dalian Municipal Government.Scientific disciplines taught by DLMU include communications and information engineering, machine engineering, civil engineering and environmental science. DLMU also researches political thought and minority groups of northeast China.DLMU currently hosts the Dalian Key Lab of Digital Technology for National Culture (大连市民族文化数字技术重点实验室). Researchers at laboratory carry out research on facial recognition of ethnic minorities. The laboratory has collaborated with an academic from Curtin University on research related to the facial recognition of Tibetans, Koreans and Uyghurs—over one million of whom have disappeared into re-education camps. DLMU researchers are working on a database of facial and optical movements across different ethnic groups.DLMU also hosts the State Ethnic Affairs Commission Key Laboratory of Intelligent Perception and Advanced Control (国家民委智能感知与先进控制重点实验室), housed within the university’s College of Electromechanical Engineering (机电工程学院). The laboratory has done work on convolutional neural networks for visual image recognition, which could have applications for surveillance technology.DLMU’s party committee has an active United Front Work Department. The department supervises non-CCP members and students returning from overseas study. Management of religious and ethnic minorities are likely to be other priorities for the department.
The tag is: misp-galaxy:china-defence-universities="Dalian Minzu University (大连民族大学)"
Links |
https://unitracker.aspi.org.au/universities/dalian-minzu-university |
Dalian Naval Academy (中国人民解放军海军大连舰艇学院)
The Dalian Naval Academy is one of the main training colleges for junior officers and cadets in the PLA Navy. The academy focuses on maritime navigation technology, communications engineering, electronic information engineering, weapons systems engineering, surveying and control science.Scientists from the Dalian Naval Academy produce publications on a variety of defence topics, including:
The tag is: misp-galaxy:china-defence-universities="Dalian Naval Academy (中国人民解放军海军大连舰艇学院)"
Links |
https://unitracker.aspi.org.au/universities/dalian-naval-academy |
Dalian University of Technology (大连理工大学)
DLUT is directly under the administration of the Ministry of Education. In 2018, it came under the supervision of defence industry agency SASTIND as part of the government’s efforts to deepen military-civil fusion in the university sector. In 2006, the university received secret-level security credentials, allowing it to participate in classified defence technology projects. Since then, it has expanded cooperation with the PLA Navy and joined several military-civil fusion innovation alliances.In 2015, the university established a defence laboratory in the School of Mechanical Engineering. The laboratory was proposed by a professor within the University’s Institute of Science and Technology. The Institute of Science and Technology is primarily responsible for high-tech project management, where they manage projects for the 973 Program, the National Natural Science Foundation, and the Ministry of Education.
The tag is: misp-galaxy:china-defence-universities="Dalian University of Technology (大连理工大学)"
Links |
https://unitracker.aspi.org.au/universities/dalian-university-of-technology |
Donghua University (东华大学)
DHU is subordinate to the Ministry of Education. It is actively involved in defence research on materials. It hosts the Key Laboratory of High Performance Fibers & Products, a defence-focused laboratory involved in materials science and textiles engineering research for China’s defence industry and weapons systems. The laboratory is specifically involved in developing materials for weapons casings, vehicular armour, aviation and cabling. The university holds secret-level security credentials, allowing it to participate in classified defence research projects.DHU claims that much of its research has been applied to fields such as defence technology and aviation, and contributed towards China’s space program and Beidou satellite navigation system. In 2018, the university signed a strategic cooperation agreement with the state-owned Jihua Group (际华集团) for collaboration on textiles to meet the military’s needs.
The tag is: misp-galaxy:china-defence-universities="Donghua University (东华大学)"
Links |
https://unitracker.aspi.org.au/universities/donghua-university |
East China University of Technology (东华理工大学)
ECUT was founded in 1956 as the first institution of higher education for China’s nuclear industry. Since 2001, it has been subject to four ‘joint construction’ agreements between the Jiangxi Provincial Government and defence industry agency SASTIND or its predecessor COSTIND. These agreements are designed to develop the university’s involvement in defense-related research and training. The Ministry of Natural Resources and defence conglomerate China National Nuclear Corporation are also involved in supervising and supporting ECUT.ECUT carries out defence research related to nuclear science and hosts a defence laboratory on radioactive geology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects. In 2006, the East China University of Technology National Defence Technology Institute (东华理工大学国防科技学院) was established.
The tag is: misp-galaxy:china-defence-universities="East China University of Technology (东华理工大学)"
Links |
https://unitracker.aspi.org.au/universities/east-china-university-of-technology |
Engineering University of the CAPF (中国人民武装警察部队工程大学)
The Engineering University of the CAPF is an institution devoted to training personnel in China’s paramilitary service, the People’s Armed Police, in command and engineering disciplines. The university focuses on paramilitary information engineering, paramilitary equipment technology, non-lethal weapons, military communications and mathematical cryptography. Students of the university can select majors from disciplines such as communications engineering, information security, military big data engineering, management science and engineering, and mechanical engineering.The Engineering University of the CAPF hosts the Key Military Laboratory for Non-Lethal Weapons (非致命武器等全军重点实验室), the Big Data and Cloud Computing Laboratory (大数据与云计算实验室), and the Command Automation Training Centre (指挥自动化培训中心), indicating expertise in these areas.The Engineering University of the CAPF has collaborated significantly with a Beijing-based company called SimpleEdu (北京西普阳光教育科技股份有限公司), focusing primarily on social media and internet research. Below is a list of initiatives with which the Engineering University of the CAPF has collaborated:
The tag is: misp-galaxy:china-defence-universities="Engineering University of the CAPF (中国人民武装警察部队工程大学)"
Links |
https://unitracker.aspi.org.au/universities/engineering-university-of-the-capf |
Fudan University (复旦大学)
Fudan University is among China’s best universities. It was ranked 104th in the world by Times Higher Education in 2019. The university appears to engage high levels of work for the military on materials science, including stealth technology.All defence-related projects and matters in Fudan are managed by the university’s Institute of Special Materials and Technology (专用材料与装备技术研究院) and Defence Industry Secrets Committee (复旦大学军工保密委员会). The Institute of Special Materials and Technology specialises in defence research and works on simulations, precision manufacturing, and materials. Professor Ye Mingxin, the institute’s director, is also an advisor to the PLA and defence companies on materials science. Fudan University’s Materials Science Department includes one professor who is described as specifically being a ‘defence system professor’, which may refer to Professor Ye. In 2011, Fudan established a State Secrets Academy (国家保密学院), in partnership with China’s National Administration of State Secrets Protection (国家保密局). The institute carries out research and training on the protection of state secrets.
The tag is: misp-galaxy:china-defence-universities="Fudan University (复旦大学)"
Links |
https://unitracker.aspi.org.au/universities/fudan-university |
Fuzhou University (福州大学)
Fuzhou University is overseen by the Fujian Provincial Government and a focus on engineering disciplines. It does not appear to engage in significant levels of defence research. However, the Fuzhou University Military-Civil Fusion Innovation Research Institute (福州大学军民融合创新研究院) was jointly established in 2016 by Fuzhou University along with a number defence companies and military research institutions under the guidance of Fujian Provincial Government’s National Defence Industry Office (省国防科工办). Furthermore, the Fujian Provincial People’s Government and SASTIND entered an agreement to jointly develop the university as part of China’s military-civil fusion initiative in 2018. This indicates that the university will expand its involvement in defence research. The university has held second-class weapons R&D secrecy credentials since 2006.
The tag is: misp-galaxy:china-defence-universities="Fuzhou University (福州大学)"
Links |
https://unitracker.aspi.org.au/universities/fuzhou-university |
Guilin University of Electronic Science and Technology (桂林电子科技大学)
GUET specialises in electronics, communications and computer science. It engages in growing levels of defence research, indicated by the decision to place it under the joint administration of the defence industry agency SASTIND and the Guangxi Provincial Government in 2018.The PLA describes GUET as ‘Guangxi Province’s only university to have long carried out defence research.’ Areas of defence research at the university include communications technology, materials science, signals processing, microwaves, satellite navigation, and command and control. Since 2007, the university has held secret-level security credentials, enabling it to participate in classified weapons and defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Guilin University of Electronic Science and Technology (桂林电子科技大学)"
Links |
https://unitracker.aspi.org.au/universities/guilin-university-of-electronic-science-and-technology |
Hangzhou Dianzi University (杭州电子科技大学)
HDU specialises in information technology and has been jointly supervised by the Zhejiang Provincial Government and defence industry agency SASTIND since 2007. The university is Zhejiang Province’s only provincial-level higher education institution to have officially designated national defence disciplines.HDU’s leadership is closely integrated with its defence research. Since its creation in 2008, the university’s main defence laboratory has been run by Xue Anke, who was the university’s president until 2017. While president, Xue served on an expert advisory committee to the PLA on information technology. He is also a member of the Zhejiang Provincial Expert Committee on Artificial Intelligence Development.Key areas of defence research at HDU include electronics, artificial intelligence, military-use software, and communications and information systems. HDU has been expanding its research on artificial intelligence, establishing a school of artificial intelligence and an artificial intelligence research institute in 2018.HDU holds secret-level security credentials, allowing it to undertake classified weapons and defence technology projects. In 2011, the Zhejiang State Secrets Bureau established a State Secrets Academy in HDU. The academy, one of twelve in the country, trains personnel in managing and protecting confidential information.
The tag is: misp-galaxy:china-defence-universities="Hangzhou Dianzi University (杭州电子科技大学)"
Links |
https://unitracker.aspi.org.au/universities/hangzhou-dianzi-university |
Hangzhou Normal University (杭州师范大学)
Hangzhou Normal University is a Chinese university subordinate to the Zhejiang Provincial Government. The university was initially established in 1978 as Hangzhou Normal College (杭州师范学院) to focus on teacher training, art education as well as research in the humanities and natural sciences. Hangzhou Normal University retains this broad academic focus and oversees faculties such as the Alibaba Business School (阿里巴巴商学院).Hangzhou Normal University collaborates with China’s MPS on the development of surveillance technology. In March 2019, the university entered into an agreement with the Zhejiang Police College, the Zhejiang Public Security Office, and Hikvision—China’s leading producer of video surveillance technology—to establish a joint laboratory. The joint laboratory reportedly focuses on applying big data analysis, cloud computing and internet of things technology to improve China’s policing capability.
The tag is: misp-galaxy:china-defence-universities="Hangzhou Normal University (杭州师范大学)"
Links |
https://unitracker.aspi.org.au/universities/hangzhou-normal-university |
Harbin Engineering University (哈尔滨工程大学)
HEU is one of China’s top defence research universities. The university is a leading centre of research and training on shipbuilding, naval armaments, maritime technology and nuclear power. 36.46% of the university’s 2017 graduates who found employment were working in the defence sector.As one of the group of universities subordinate to the Ministry of Industry and Information Technology (MIIT) known as the ‘Seven Sons of National Defence’ (国防七子), HEU is an integral part of China’s defence industry. HEU’s achievements include producing China’s first experimental submarine, ship-based computer, and hovercraft. The university claims to have participated in most of the PLA Navy’s submarine, undersea weapon, and warship projects.HIT’s role in the defence industry is highlighted by its formal affiliation with the PLA Navy, which became a supervising agency of the university in 2007. Under the supervisory agreement, the PLA Navy committed to developing HEU’s capacity as a platform for research and development in military technology and for training defence personnel. The following year, HEU established a Defence Education Institute to train reserve officers. Since then, the institute has trained at least 1,700 officers. HEU also maintains a joint laboratory with the PLA Navy Coatings Analysis and Detection Center.HEU is an important hub research on nuclear engineering, including on nuclear submarines. In 2018, it signed a co-construction agreement with defence conglomerate China National Nuclear Corporation (CNNC). In 2019, HEU and CNNC established the China Nuclear Industry Safety and Simulation Technology Research Institute. HEU also runs a joint laboratory on energetic materials (such as explosives) with the Chinese Academy of Engineering Physics, China’s nuclear warhead research organisation.
The tag is: misp-galaxy:china-defence-universities="Harbin Engineering University (哈尔滨工程大学)"
Links |
https://unitracker.aspi.org.au/universities/harbin-engineering-university |
Harbin Institute of Technology (哈尔滨工业大学)
HIT is one of China’s top defence research universities. As one of seven universities run by MIIT, it is known as one of the ‘Seven Sons of National Defence’ (国防七子). The Seven Sons of National Defence all have close relationships with the Chinese military and are core training and research facilities for China’s defence industry. In 2018, HIT spent RMB1.97 billion (AUD400 million)—more than half of its research budget—on defence research. 29.96% of the university’s graduates that year who found employment were working in the defence sector.HIT has been described by Chinese state media as having ‘defence technology innovation and weapons and armaments modernisation as its core’. It excels in satellite technology, robotics, advanced materials and manufacturing technology, and information technology. Other areas of defence research at HIT include nuclear technology, nuclear combustion, nuclear power engineering and electronic propulsion and thruster technology, many of which are officially designated as skill shortage areas for the Chinese defence industry.HIT is best known for its aerospace research and has a close relationship with China Aerospace Science and Technology Corporation (CASC), a state-owned defence company that specialises in long-range ballistic missile and satellite technology. Since 2008, HIT and CASC have operated a joint research centre. Defence conglomerates CASC, CASIC, AVIC and CETC rank among the top employers of HIT graduates. The university is a major source of cyber talent and receives funding for information security research from the MSS, China’s civilian intelligence agency. A report prepared for the US–China Security and Economic Review Commission identified it as one of four universities focused on research with applications in information warfare. In 2003, HIT founded its Information Countermeasures Technology Research Institute (哈尔滨工业大学信息对抗技术研究所).
The tag is: misp-galaxy:china-defence-universities="Harbin Institute of Technology (哈尔滨工业大学)"
Links |
https://unitracker.aspi.org.au/universities/harbin-institute-of-technology |
Harbin University of Science and Technology (哈尔滨理工大学)
HRBUST focuses on engineering, science, economics, management, philosophy, literature, law and education. In 2015, it was placed under the joint supervision of the Heilongjiang Provincial Government and SASTIND, which is an arrangement designed to develop the university’s involvement in defence-related research and training.HRBUST’s relationship with SASTIND indicates that it will continue expanding its role in defence research. Currently, the university has at least four designated national defense disciplines and plans to build a national defense key laboratory. It holds secret-level security credentials.
The tag is: misp-galaxy:china-defence-universities="Harbin University of Science and Technology (哈尔滨理工大学)"
Links |
https://unitracker.aspi.org.au/universities/harbin-university-of-science-and-technology |
Hebei University (河北大学)
Hebei University is Hebei Province’s only comprehensive university. The university subordinate to the Ministry of Education and also supervised by the Hebei Provincial Government and defence industry agency SASTIND. Its supervision by SASTIND, which began in 2013, is designed to support the university in ‘strengthening its national defence characteristics’.HBU appears to be relatively secretive about its defence research. In 2017, SASTIND designated an area of research at the university’s College of Physics Science and Technology as a ‘discipline with defence characteristics’. An article about this on the university’s news site has been taken down and deliberately did not specify the discipline. However, a speech given by the head of the college named military-use power and energy as HBU’s only defence discipline. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.In 2017, HBU held a forum on military-civil fusion for technology and innovation to ‘uncover the university’s potential for defence-industry technological research’ and encourage greater integration with defence companies.
The tag is: misp-galaxy:china-defence-universities="Hebei University (河北大学)"
Links |
https://unitracker.aspi.org.au/universities/hebei-university |
Hebei University of Science and Technology (河北科技大学)
HEBUST engages in moderate but growing levels of defence research. It has been supervised by defence industry agency SASTIND since 2013, when SASTIND and the Hebei Provincial Government agreed to jointly develop the university’s involvement in defence research. By 2017, the university claimed to have completed 300 defence projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.While the university does not appear to have any dedicated defence laboratories, it has described five of its laboratories as platforms for defence research. Areas of materials science, mechanical engineering and control science at HEBUST have been designated ‘disciplines with national defence charcteristics’ by SASTIND. HEBUST may also be pursuing greater integration between China’s defence needs and the university’s research on textiles engineering and biological fermentation.HEBUST states that is has developed close cooperation with China Electronics Technology Group Corporation’s 54th Research Institute, an organization blacklisted by the US Government Entity List. Defence industry conglomerate Aviation Industry Corporation of China also funds research at the university.
The tag is: misp-galaxy:china-defence-universities="Hebei University of Science and Technology (河北科技大学)"
Links |
https://unitracker.aspi.org.au/universities/hebei-university-of-science-and-technology |
Hefei University of Technology (合肥工业大学)
HFUT a leading Chinese university subordinate to the Ministry of Education. It specialises in engineering and engages in growing levels of defence research, particularly in the fields of advanced materials, smart manufacturing and electronic information. As of 2018, HFUT was the only civilian university in Anhui Province fully certified to carry out military projects, holding secret-level security credentials, and had undertaken over 200 such projects.In 2018, the university came under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND. According to HFUT, this agreement ‘will powerfully advance the university’s development of national defence disciplines, training of talent for defence industry, and construction of defence industry and national defence research platforms.’Miao Wei, head of the Ministry of Industry and Information Technology, which oversees China’s defence industry, is a graduate of HFUT.
The tag is: misp-galaxy:china-defence-universities="Hefei University of Technology (合肥工业大学)"
Links |
https://unitracker.aspi.org.au/universities/hefei-university-of-technology |
Heilongjiang Institute of Technology (黑龙江工程学院)
HLJIT is an engineering-focused university that engages in growing levels of defence research. In 2015, the Heilongjiang Provincial Government partnered with defence industry agency SASTIND to expand the university’s ability to ‘show its national defence characteristics and serve the national defence science and technology industry.’SASTIND has designated military-use power and energy, optoelectronics and laser technology, and computing as three ‘disciplines with national defence characteristics’ at HLJIT. In June 2016, HLJIT and ZTE jointly launched an MOE-ZTE ICT Product-Teaching Integration Innovation Base (教育部-中兴通讯ICT产教融合创新基地) and established the Heilongjiang School of Engineering-ZTE Information and Communications Technology College (黑龙江工程学院-中兴信息通信技术学院). ZTE has been reportedly barred from US government contracts.As it increases its implementation of military-civil fusion, HLJIT has developed relationships with defence conglomerates. The university is particularly close to China Aerospace Science and Technology Corporation (CASC), a leading state-owned manufacturer of long-range missiles and satellites. In 2017, HLJIT partnered with a subsidiary of CASC to establish a joint research centre, the Aerospace Smart City Research Institute. The subsidiary, Aerospace Shenzhou Smart System Technology Co., Ltd. (航天神舟智慧系统技术有限公司), specialises in smart city and informatization technology.HLJIT holds confidential-level security credentials, allowing it to participate in confidential defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Heilongjiang Institute of Technology (黑龙江工程学院)"
Links |
https://unitracker.aspi.org.au/universities/heilongjiang-institute-of-technology |
Heilongjiang University (黑龙江大学)
HLJU is supervised by the Ministry of Education, the Heilongjiang Provincial Government and SASTIND. SASTIND’s supervision of the university is designed to promote its integration with China’s defence technology goals. In 2016, the year after HLJU came under SASTIND’s supervision, the university received third-class security credentials and funding for a national defence technology research project for the first time. Third-class security credentials allow the university to participate in confidential defence research projects. By 2018, HLJU claimed to have received RMB13 million (AUD2.7 million) in defence research funding.HLJU has close ties with Russian universities and is best known for its work in the Chemistry, Chemical Engineering and Materials Department, which entered the top 1 percent of ESI’s global rankings.
The tag is: misp-galaxy:china-defence-universities="Heilongjiang University (黑龙江大学)"
Links |
https://unitracker.aspi.org.au/universities/heilongjiang-university |
Henan University of Science and Technology (河南科技大学)
HAUST is Henan province’s leading civilian university for defence research. In 2008, it became the first university in the province to receive security credentials allowing it to participate in classified weapons projects. In 2016, it became the province’s only university subject to a ‘joint-construction’ agreement with defence industry agency SASTIND, an arrangement designed to increase HAUST’s involvement in defence research. As early as 2009, the university stated that it had made great contributions to the defence and aviation industries, undertaking large amounts of defence research projects.HAUST describes itself as China’s primary university for research and training for the mechanical bearings (such as ball bearings) industry. SASTIND has designated three areas of research at the university as ‘disciplines with defence characteristics’, covering systems engineering, materials science and mechanics. The university is actively involved in military-civil fusion activities.The university claims to have made important contributions to the development of bearings for aircraft engines, satellites, and spacecraft. It states that it has resolved critical technological problems for specific weapons guidance systems, ballistic missile testing systems and an infrared targeting and interference emulation system that are probably used to test guided missiles.
The tag is: misp-galaxy:china-defence-universities="Henan University of Science and Technology (河南科技大学)"
Links |
https://unitracker.aspi.org.au/universities/henan-university-of-science-and-technology |
Huazhong University of Science and Technology (华中科技大学)
HUST is one of China’s leading research institutions. While the university is subordinate to the Ministry of Education, it has also been supervised by the State Administration of Science, Technology and Industry for National Defense since 2012.The university hosts at least six laboratories dedicated to defence research. Its National Defence Research Institute reportedly oversees defence research in seven other HUST research centres. Artificial intelligence, shipbuilding, image processing, navigation technology, mechanical engineering, electronics, materials science and laser physics are focuses of HUST’s defence research.HUST has worked closely with the PLA and China’s defence industry. This collaboration includes the development artificial intelligence and imaging technology for weapons. The university’s work on pulsed power is linked to China’s nuclear and directed-energy weapons program. China’s state-owned defence conglomerates and China’s nuclear warhead facility sponsor dozens of HUST postgraduate students each year, who are required to work at their sponsoring organisation for at least five years after graduating.HUST holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence projects.
The tag is: misp-galaxy:china-defence-universities="Huazhong University of Science and Technology (华中科技大学)"
Links |
https://unitracker.aspi.org.au/universities/huazhong-university-of-science-and-technology |
Hunan University (湖南大学)
HNU is a leading Chinese university subordinate to the Ministry of Education. In recent years, its participation in defence research appears to have grown substantially. In 2010, it established the National Supercomputer Center in Changsha jointly with the PLA National University of Defense Technology, which has since been placed on the US Government Entity List for its suspected role in nuclear weapons research.In 2011, China’s defence industry agency, SASTIND, entered a partnership with the MOE to expand the university’s participation in defence research and defence industry ties. This arrangement was renewed in 2016. In 2013, SASTIND and the Hunan Provincial Government also signed an agreement to jointly support the development of the university’s National Supercomputer Center.HNU holds secret-level security credentials, enabling it to participate in research and production for weapons and other defence projects.
The tag is: misp-galaxy:china-defence-universities="Hunan University (湖南大学)"
Links |
https://unitracker.aspi.org.au/universities/hunan-university |
Hunan University of Science and Technology (湖南科技大学)
HNUST is an engineering-focused university founded in 2003. In 2016, it was subject to a ‘joint-construction’ agreement between the Hunan Provincial Government and defence industry agency SASTIND, an arrangement designed to develop the university’s involvement in defense-related research and training. The university has three designated defence research areas, is involved in weapons research, and has confidential-level security credentials.HNUST is home to two national defence key laboratories, one of which is in the School of Materials Science and Engineering. The university has also established its Intelligent Manufacturing Institute, which evolved from a provincial key laboratory and has connections to the Made in China 2025 strategy.HNUST is also linked to state-owned arms manufacturer Norinco Group. In 2018, it signed a strategic cooperation agreement with arms manufacturer Norinco’s National Defence Key Laboratory on Light Weapons Terminal Lethality Technology (轻武器终点杀伤技术国防科技重点实验 aka 瞬态冲击技术国防科技重点实验室).
The tag is: misp-galaxy:china-defence-universities="Hunan University of Science and Technology (湖南科技大学)"
Links |
https://unitracker.aspi.org.au/universities/hunan-university-of-science-and-technology |
Information Engineering University (中国人民解放军信息工程大学)
IEU was formed in June 2017, combining the old Information Engineering University with the PLA Foreign Languages University. PLA experts have described IEU as ‘the sole military academy for the cyber and electronic warfare arms of China’s network-electronic forces’.The IEU is currently subordinate to the PLA Strategic Support Force’s Network Systems Department, which holds the military’s signals intelligence capabilities. Previously, the university was run by the General Staff Department Third Department (commonly known as 3PLA), the PLA’s signals intelligence service that has been incorporated into the Strategic Support Force. IEU’s command tracks include Network Engineering (网络工程), which is dedicated to the cultivation of cyber attack and defense technical cadre (网络攻防技术干部). It is responsible for the construction of the Henan Provincial Laboratory of Visible Light Communication (河南省可见光通信重点实验室).The university is primarily known for research and training on hacking, cryptography, signals processing, surveying and mapping, and navigation technology. However, since absorbing the PLA Foreign Languages University, it now serves as one of the most important language schools for Chinese military intelligence officers, describing itself as a ‘whole-military foreign languages training base for individuals going abroad’. While the PLA Foreign Languages University is best known for training signals intelligence officers, it has also trained many officers in the PLA’s political warfare wing, the Central Military Commission Political Work Department Liaison Bureau.
The tag is: misp-galaxy:china-defence-universities="Information Engineering University (中国人民解放军信息工程大学)"
Links |
https://unitracker.aspi.org.au/universities/information-engineering-university-2 |
Institute of NBC Defense (陆军防化学院)
The Institute of NBC Defense is the PLA’s premier institution devoted to training junior, mid-career and senior officers on technology related to defence against nuclear, biological and chemical weapons. Most scientific research tends to focus on radiation protection and nuclear safety.
The tag is: misp-galaxy:china-defence-universities="Institute of NBC Defense (陆军防化学院)"
Links |
https://unitracker.aspi.org.au/universities/institute-of-nbc-defense |
Jiangnan Social University (江南社会学院)
JSU trains intelligence officers in tradecraft and carries out research on intelligence and security. The university first opened in 1986 with over 600 students and staff. Since 1999, it has run the Journal of Jiangnan Social University, which publishes research on international security, strategy and politics. Satellite and streetview imagery from Google Maps and Baidu appears to show a shooting range at the southern end of its campus.
The tag is: misp-galaxy:china-defence-universities="Jiangnan Social University (江南社会学院)"
Links |
https://unitracker.aspi.org.au/universities/jiangnan-social-university |
Jiangsu University of Science and Technology (江苏科技大学)
JUST engages in high levels of defence research. With a focus on research relevant to the PLA Navy, JUST is supervised by the China State Shipbuilding Corporation and the China Shipbuilding Industry Corporation, China’s leading defence shipbuilding conglomerates. In 2002, JUST was one of eight universities jointly supervised by defence industry agency COSTIND and a provincial government. In 2016, its was the subject of an agreement between the Jiangsu Provincial Government and defence industry agency SASTIND to expand its role in defence research.JUST scientists have been involved in nuclear submarine, unmanned submersible and aircraft carrier projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.Faculties at the university involved in defence research include the School of Naval Architecture and Ocean Engineering and the School of Energy and Propulsion.
The tag is: misp-galaxy:china-defence-universities="Jiangsu University of Science and Technology (江苏科技大学)"
Links |
Jilin University (吉林大学)
JLU is directly under the administration of the Ministry of Education and came under the joint supervision of the ministry and defence industry agency SASTIND in 2016. In 2017, SASTIND designated eight fields of research at JLU as national defence disciplines, indicating the university carries out high levels of defence research. In 2012, JLU spent roughly RMB60 million (AUD12.5 million) on defence research, a number that is likely to have grown substantially.JLU’s National Defense Science and Technology Research Institute, also known as the Advanced Technology Research Institute, was established in April 2006 and is responsible for the organization and management of the university’s national defence science and technology projects. The research institute has received several certifications to conduct research for military applications. It conducts research in collaboration with the former PLA General Armaments Department, SASTIND, and state-owned defence conglomerates in the fields of aviation, aerospace, electronics, nuclear technology, and shipbuilding.JLU’s State Key Laboratory of Superhard Materials (超硬材料国家重点实验室) works closely with China’s nuclear weapons complex, the Chinese Academy of Engineering Physics (CAEP). Job advertisements for a CAEP subsidiary, the Center for High Pressure Science & Technology Advanced Research (北京高压科学研究中心) state that it has a branch within Jilin University. This suggests that CAEP may even be involved in managing the State Key Laboratory of Superhard Materials.The university hosts at least two defence research labs, located in the university’s College of Computer Science and Technology and in the College of Chemistry. Its Key Laboratory of Attack and Defense Simulation Technology for Naval Warfare, Ministry of Education (海战场攻防对抗仿真技术教育部重点实验室(B类)) is involved in cybersecurity research for the Navy. The lab’s academic committee is headed by a computer scientist from China Aerospace Science and Technology Corporation, a leading state-owned missile manufacturer.JLU holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Jilin University (吉林大学)"
Links |
https://unitracker.aspi.org.au/universities/jilin-university |
Kunming University of Science and Technology (昆明理工大学)
Kunming University of Science and Technology appears to engage in low levels of defence research, but its involvement in defence research is likely to grow. In 2017, Kunming University of Science and Technology signed an agreement with Yunnan’s defence technology bureau to deepen military-civil fusion. In 2018, the Yunnan Provincial Government and defence industry agency SASTIND signed an agreement to jointly construct KMUST. The agreement is designed to increase the university’s involvement in defence research.KMUST carries out high levels of research on metallurgy. It is involved in defence research related to China’s aviation industry, and collaborates with defence shipbuilding conglomerate CSIC on vibration and noise research.
The tag is: misp-galaxy:china-defence-universities="Kunming University of Science and Technology (昆明理工大学)"
Links |
https://unitracker.aspi.org.au/universities/kunming-university-of-science-and-technology |
Lanzhou University (兰州大学)
LZU’s involvement in defence research has slowly grown over the past decade. In 2018, it spent over RMB50 million (AUD10 million) on defence projects.LZU is subordinate to the Ministry of Education. Since 2018, it has also been supervised by defence industry agency SASTIND in an arrangement designed to further expand the university’s defence research and the defence industry relationships.LZU carries out national defence-related research in areas such as nuclear science, electromagnetism, probes, chemistry, mechanics, materials science, stealth technology and information technology.In 2017 and 2018, LZU signed strategic agreements with state-owned defence companies Norinco Group, China’s largest arms manufacturer, and China National Nuclear Corporation. Several defence companies, as well as China’s nuclear weapons program, provide scholarships for dozens of LZU postgraduate students each year. In return, these students must work for their sponsoring organisation for five years after graduation.In 2005, LZU received secret-level security credentials that allow it to participate in classified weapons projects.
The tag is: misp-galaxy:china-defence-universities="Lanzhou University (兰州大学)"
Links |
https://unitracker.aspi.org.au/universities/lanzhou-university |
Lanzhou University of Technology (兰州理工大学)
Lanzhou University of Technology (兰州理工大学)
The tag is: misp-galaxy:china-defence-universities="Lanzhou University of Technology (兰州理工大学)"
Links |
https://unitracker.aspi.org.au/universities/lanzhou-university-of-technology |
Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)
The Logistics University of the People’s Armed Police Force is an institution devoted to training personnel in logistics for China’s paramilitary service, the People’s Armed Police. The university teaches subjects in applied economics, military logistics studies, paramilitary logistics, applied psychology, as well as communications and transportation engineering.The Logistics University of the People’s Armed Police Force actively collaborates with private institutions and civilian universities on scientific research. For example, the university collaborated with Nankai University (南开大学) and the Tianjin Eminent Electric Cell Material Company (天津爱敏特电池材料有限公司) on high performance lithium and sodium ion materials in 2018. The university also collaborated with the Tianjin Polytechnic University (天津工业大学) on intelligence, wearable technology that monitors heart rates for both military and civilian personnel.
The tag is: misp-galaxy:china-defence-universities="Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)"
Links |
https://unitracker.aspi.org.au/universities/logistics-university-of-the-peoples-armed-police-force |
Nanchang Hangkong University (南昌航空大学)
NCHU engages in high levels of defence research relevant to the aviation industry. In 2017, the Ministry of Education designated it a ‘school with national defence education characteristics’, and 30% of graduates go to work in the defence industry or civilian aviation companies. The university has been supervised by defence industry agency SASTIND since 2010. It holds secret-level security credentials.Five fields of research at NCHU are designated ‘national defence key disciplines’: precision forming and joining technology, component quality testing and control, testing and measurement technology and instruments, optoelectric and laser technology, and military-use critical materials. The university hosts at least three laboratories focused on defence research.NCHU is particularly close to AVIC, the Chinese military’s aircraft manufacturing company. In particular, AVIC subsidiary Hongdu Aviation Industry Group (洪都航空工业集团) is based in Nanchang and has frequent exchanges with NCHU.
The tag is: misp-galaxy:china-defence-universities="Nanchang Hangkong University (南昌航空大学)"
Links |
https://unitracker.aspi.org.au/universities/nanchang-hangkong-university |
Nanchang University (南昌大学)
NCU engages in low levels of defence research. It holds secret-level security credentials, allowing it to carry out classified defence research. In 2006, it established a defence research institute together with five provincial defence industry companies. Based on affiliated staff members, the institute may be focused on mechanical engineering.The university was added to the US Government Unverified List in 2018. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.
The tag is: misp-galaxy:china-defence-universities="Nanchang University (南昌大学)"
Links |
https://unitracker.aspi.org.au/universities/nanchang-university |
Nanjing Army Command College (南京陆军指挥学院)
The Nanjing Army Command College is an institute devoted to training mid-career staff officers in preparation for command the PLA Ground Force. Disciplines of focus for the college include joint campaign tactics, warfighting command, military training and combat simulations.
The tag is: misp-galaxy:china-defence-universities="Nanjing Army Command College (南京陆军指挥学院)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-army-command-college |
Nanjing Institute of Information Technology (南京信息技术研究院)
Nanjing Institute of Information Technology (南京信息技术研究院)
The tag is: misp-galaxy:china-defence-universities="Nanjing Institute of Information Technology (南京信息技术研究院)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-institute-of-information-technology |
Nanjing Normal University (南京师范大学)
Nanjing Normal University is a leading Chinese university supervised by the Ministry of Education and Jiangsu Provincial Government. The university has strengths in geospatial technology, big data and artificial intelligence.Nanjing Normal University has close ties to the Ministry of Public Security. In 2014, the university established the Ministry of Public Security Key Laboratory for Police Geospatial Information Technology (警用地理信息技术公安部重点实验室), which researches applications of geospatial information technology for policing purposes. Nanjing Normal University has also entered into an agreement with the Nanjing Municipal Public Security Bureau, establishing the ‘Video GIS Technology Laboratory’ (视频GIS技术实验室) in April 2012.Nanjing Normal University has a close relationship with the regional government in Xinjiang, where over 1 million Uyghurs and Kazakhs are currently held in internment camps. In 2015, the university entered into an agreement with the Xinjiang Uyghur Autonomous Government and the Jiangsu Municipal Government to support the development of Yili Normal University.
The tag is: misp-galaxy:china-defence-universities="Nanjing Normal University (南京师范大学)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-normal-university |
Nanjing Tech University (南京工业大学)
In 2016, NJTech came under the joint supervision of the Jiangsu Provincial Government and defence industry agency SASTIND, which is an arrangement designed to develop the university’s involvement in defense-related research and training. The university has four designated defence research areas and secret-level security credentials, allowing it to undertake classified defence technology projects.NJTech is expanding its defence research on materials science, chemistry, optical engineering and systems engineering. In 2018, the university established a Military-Civil Fusion Development Research Institute to deepen its implementation of military-civil fusion. NJTech has a Defence Industry Science Office (军工科研办公室) within its Depart of Scientific of Research. This office is responsible for the university’s defence-related research and coordination. NJTTech’s School of Materials Science and Engineering (材料科学与工程学院) has previously worked on defence-related projects.The university has international ties with universities in England that focus on electronics and semiconductors. It has also established a joint research center with Russian universities for advanced technology R&D.
The tag is: misp-galaxy:china-defence-universities="Nanjing Tech University (南京工业大学)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-tech-university |
Nanjing University (南京大学)
NJU is subordinate to the MOE and has also been supervised by defence industry agency SASTIND since 2012. In 2016, the university was selected as a participant in the first batch of national dual-use demonstration bases, and a year later in 2017 was selected as a Class A world-class university. NJU is home to at least two defence laboratories and has committed to deepening its involvement in military-civilian fusion. As the first university in China to establish a State Secrecy Academy, in 2009, Nanjing University is involved in cyber security research.In 2018, NJU established an Institute of Artificial Intelligence and reported its research progress to the Jiangsu Provincial Committee of Military-Civilian Fusion when they visited the university. Following the visit, the provincial committee expressed interest in deepening cooperation on MCF projects in order to promote Jiangsu’s MCF work. The Institute of AI also co-built a research center with Intel, the Intel-Nanjing University Artificial Intelligence Research Center, which is Intel’s first research center focusing on AI in China. The university’s rapidly developing AI Institute provides an opportunity for deepening its involvement in MCF R&D. In May 2018, NJU signed a strategic cooperation agreement with Megvii 旷视科技. Megvii has been blacklisted by the US government over human rights abuses.
The tag is: misp-galaxy:china-defence-universities="Nanjing University (南京大学)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-university |
Nanjing University of Aeronautics and Astronautics (南京航空航天大学)
NUAA is one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. NUAA specialises in aerospace research and works closely with the Chinese military as well as civilian and military aviation companies, including military aircraft manufacturers AVIC and AECC. 21% of the university’s graduates in 2018 who found employment were working in the defence sector.The university claims to have participated in nearly all major national aviation projects, including the development of the Chang’e 3 unmanned lunar explorer. NUAA hosts China’s only national defence laboratory for helicopter technology.NUAA has attracted controversy for its alleged involvement in the Ministry of State Security’s efforts to steal US aviation technology.
The tag is: misp-galaxy:china-defence-universities="Nanjing University of Aeronautics and Astronautics (南京航空航天大学)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-university-of-aeronautics-and-astronautics |
Nanjing University of Posts and Telecommunications (南京邮电大学)
NJUPT was initially ‘one of the earliest institutions devoted to training communications personnel for the Chinese Communist Party and red army’. Since then, NJUPT has evolved from a training college to a civilian university that offers undergraduate, post-graduate and doctoral degrees in various communications and engineering disciplines.NJUPT holds secret-level security credentials, allowing it to participate in classified defence research projects.Key areas of research include at the university:
The tag is: misp-galaxy:china-defence-universities="Nanjing University of Posts and Telecommunications (南京邮电大学)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-university-of-posts-and-telecommunications |
Nanjing University of Science and Technology (南京理工大学)
NJUST is one of the ‘Seven Sons of National Defence’ administered by the Ministry of Industry and Information Technology. Together with Beijing Institute of Technology, it was ranked as China’s top university for armaments science in 2017. Roughly 16% of the university’s graduates in 2018 who found employment were working in the defence sector.NJUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions specialising in weapons science—the ‘B’ in ‘B8’ stands for Chinese word for armaments, bingqi (兵器). Indicative of the university’s high level of involvement in defence research, in 2013 a disused laboratory on its campus exploded, killing one, after workers disturbed a cache of explosives.NJUST has a collaborative relationship with a PLA signals intelligence research institute, involving cooperation on unmanned combat platforms and information security.
The tag is: misp-galaxy:china-defence-universities="Nanjing University of Science and Technology (南京理工大学)"
Links |
https://unitracker.aspi.org.au/universities/nanjing-university-of-science-and-technology |
National Defense University (中国人民解放军国防大学)
NDU is the PLA’s ‘premier’ institution for training in military theory, strategy, operations and political work, which can have its history traced back to the era of Mao Zedong’s peasant-led red army in 1927.The university is devoted to training the PLA’s officer corps in preparation for senior leadership positions. Given this focus on the softer skills of PLA administration, the National Defense University does not have as strong a focus on hard science as its counterpart, the National University of Defense Technology.
The tag is: misp-galaxy:china-defence-universities="National Defense University (中国人民解放军国防大学)"
Links |
https://unitracker.aspi.org.au/universities/national-defense-university |
National University of Defense Technology (中国人民解放军国防科技大学)
In 2017, NUDT was reformed and placed in charge of the Institute of International Relations in Nanjing, the National Defense Information Institute in Wuhan, the Xi’an Communications College, the Electrical Engineering Institute in Hefei, and the College of Meteorology and Oceanography in Nanjing. The Institute of International Relations in Nanjing is a key training centre for intelligence officers.NUDT is known for its research on supercomputers, autonomous vehicles, hypersonic missiles and China’s Beidou Navigation Satellite System. The university developed the Tianhe-2A supercomputer at the National Supercomputing Center in Guangzhou, the world’s fastest supercomputer from 2013 to 2016. NUDT’s Tianhe-1A supercomputer is based at Hunan University’s National Supercomputing Center Changsha (国家超级计算长沙中心).For over a decade, NUDT has aggressively leveraged overseas expertise and resources to build its capabilities. The Australian Strategic Policy Institute’s International Cyber Policy Centre’s October 2018 report ‘Picking flowers, making honey: The Chinese military’s collaboration with foreign universities’ documented and analysed NUDT’s overseas presence. The report found that by 2013 the university had sent over 1,600 of its professors and students to study and work abroad. Universities in the United States, the United Kingdom, Australia, Canada, Singapore, the Netherlands and Germany engage in some of the highest levels of collaboration with NUDT. Some of NUDT’s leading experts on drone swarms, hypersonic missiles, supercomputers, radars, navigation and quantum physics have been sent to study or work abroad.Defected Chinese spy Wang Liqiang claimed in 2019 that NUDT’s ‘Intelligence Center’ sent him fake passports for his mission to interfere in Taiwanese politics. This indicates that the university plays an important role in supporting China’s overseas intelligence activity.NUDT also works with foreign technology companies. Google and Microsoft have both worked with and trained NUDT scientists.
The tag is: misp-galaxy:china-defence-universities="National University of Defense Technology (中国人民解放军国防科技大学)"
Links |
https://unitracker.aspi.org.au/universities/national-university-of-defense-technology |
Naval Command College (中国人民解放军海军指挥学院)
The Naval Command College is an institution that provides education and training for naval officers in a variety of disciplines such as military thought, strategic studies, intelligence training and political work along with military operations, tactics and campaigns. The college plays a crucial role in improving the quality of PLA Navy personnel, as well as providing combined arms training for mid-career political commissars, logistics officers and equipment officers. The college serves to improve strategic and tactical thinking in the PLA Navy by hosting the Naval Campaigns and Tactics Center Laboratory (海军战役战术中心实验室) and producing research that looks at operationalising new training and command systems. It is the PLA-N’s last remaining command academic institution.
The tag is: misp-galaxy:china-defence-universities="Naval Command College (中国人民解放军海军指挥学院)"
Links |
https://unitracker.aspi.org.au/universities/naval-command-college |
Naval Petty Officer Academy (中国人民解放军海军士官学校)
The academy has three main departments focused on training, campus affairs and political work. It has published research on radar jamming.
The tag is: misp-galaxy:china-defence-universities="Naval Petty Officer Academy (中国人民解放军海军士官学校)"
Links |
https://unitracker.aspi.org.au/universities/naval-petty-officer-academy |
Naval Research Academy (中国人民解放军海军研究院)
The Naval Research Academy was established in July 2017 following Xi Jinping’s military reforms. Main areas of study include military theory and technological research as well as the maritime environment and national defence engineering.The Naval Research Academy actively collaborates with civilian universities as part of China’s military-civil fusion program. In April 2019, delegates from the Naval Research Academy attended a meeting with officials from Xi’an Jiaotong University on co-operation directed at improving the quality assurance and technological reliability of complex armaments currently in service in the PLA Navy. Major General Li Wei from the Naval Research Academy stated that his colleagues were paying ‘very close attention to this co-operation with Xi’an Jiaotong University’ in the development and sustainment of naval equipment.The Naval Research Academy also collaborates with civilian research institutes. For example, the Institute for Industrial Military-Civil Fusion at the Research Institute of Machinery Industry Economic and Management claims to have worked with the Naval Research Academy and a number of state-owned enterprises that focus on defence technology such as China Shipbuilding Industry Corporation (CSIC) in order to develop strategies for military-civil fusion.The Naval Research Academy’s involvement in military-civil fusion is particularly notable for work on maritime information technology and equipment. In January 2019, delegates from the Naval Research Academy attended a conference hosted by the National Key Laboratory of Underwater Acoustic Science and Technology (水声技术国防科技重点实验室) and the Key Laboratory of Marine Information Acquisition and Security Industry and Information Technology (海洋信息获取与安全工业和信息化部重点实验室) of Harbin Engineering University (HEU). The Naval Research Academy’s Liu Qingyu (刘清宇) was reported to have made a presentation on international and domestic developments in marine sonar technology at the conference.Liu Qingyu from the Naval Research Academy has a particularly strong record of engagement with civilian and military institutions for his research into marine sonar technology. In 2018, Liu delivered a presentation to the Northwestern Polytechnical University (NPU) which ‘elaborated on some of the problems facing the national costal defence industry’ and ‘suggested areas for future research into marine acoustics.’ Both students and academics from NPU attended Liu’s presentation. Liu has also published papers on acoustic science with scholars from the Chinese Academy of Sciences, the Naval University of Engineering, and Northwestern Polytechnical University.
The tag is: misp-galaxy:china-defence-universities="Naval Research Academy (中国人民解放军海军研究院)"
Links |
https://unitracker.aspi.org.au/universities/naval-research-academy |
Naval University of Engineering (中国人民解放军海军工程大学)
NUE is one of the PLA’s five comprehensive universities, which trains students in a variety of engineering and core military disciplines related to naval warfare.The university is home two national laboratories. The National Key Laboratory for Vessel Integrated Power System Technology (舰船综合电力技术国防科技重点实验室), which was established in 2010 to carry out ‘indigenous research and development’ into integrated electric propulsion (IEP) systems that power naval vessels at sea. IEP generally uses diesel generators and/or gas turbines to generate the electricity needed in order to turn propellers on large surface vessels such as guided missile destroyers or amphibious assault ships. The lab is jointly run by NUE and China Shipbuilding Industry Corporation’s (CSIC) 712th Research Institute.Rear Admiral Ma Weiming has led the National Key Laboratory for Vessel Integrated Power System Technology to develop propulsion systems for aircraft catapults, electromagnetic weapons and satellite launches. Admiral Ma has been referred to as ‘the father of China’s electromagnetic catapult system’ (中国电磁弹射之父) by official Chinese media sources.NUE’s National Defense Technology Key Laboratory of Marine Vibration and Noise (船舶振动噪声国防科技重点实验室) works on acoustic quieting technology for submarines. The lab is probably jointly run with CSIC’s 701st Research Institute, also known as China Ship Development and Design Center (中国舰船研究设计中心).Another laboratory that conducts defence research at NUE is the Nuclear Marine Propulsion Engineering Military Key Laboratory (舰船核动力工程军队重点实验室). The lab focuses on researching and training engineers in nuclear engineering for warships and submarines.Academic departments at the Naval University of Engineering include:
The tag is: misp-galaxy:china-defence-universities="Naval University of Engineering (中国人民解放军海军工程大学)"
Links |
https://unitracker.aspi.org.au/universities/naval-university-of-engineering |
Navy Aviation University (中国人民解放军海军航空大学)
The Navy Aviation University was established upon the merger of the Naval Aviation Pilot Academy and the Naval Aviation Engineering University during Xi Jinping’s military reforms in 2017. The university conducts research into missile engineering, electrical engineering and automation, navigation engineering as well as air station management engineering and flight vehicle design engineering. Academic articles published by the university have looked at topics such as the PLA-N’s combat system capability and naval aviation management systems.
The tag is: misp-galaxy:china-defence-universities="Navy Aviation University (中国人民解放军海军航空大学)"
Links |
https://unitracker.aspi.org.au/universities/navy-aviation-university |
Navy Logistics Academy (中国人民解放军海军勤务学院)
The Navy Logistics Academy is an institution devoted to training naval cadets and officers specialising in logistics. The academy’s core training and research focuses on military studies, management science and economics, while specialist lines of research include logistics command management and military financial auditing. The Center for Naval Analyses (CNA) in Arlington, Virginia have noted that entry into the academy tends to occur at the mid-career level for officers in the PLA-N.
The tag is: misp-galaxy:china-defence-universities="Navy Logistics Academy (中国人民解放军海军勤务学院)"
Links |
https://unitracker.aspi.org.au/universities/navy-logistics-academy |
Navy Medical University (中国人民解放军海军军医大学)
The PLA Navy Medical University, formerly known as the Second Military Medical University, was established in 1951 as a university focussed on medical research for the Chinese military.
The tag is: misp-galaxy:china-defence-universities="Navy Medical University (中国人民解放军海军军医大学)"
Links |
https://unitracker.aspi.org.au/universities/navy-medical-university |
Navy Submarine Academy (中国人民解放军海军潜艇学院)
The Navy Submarine Academy is responsible for the training of submariners to crew its conventionally and nuclear-powered submarines. The academy focuses its research on subjects such as electrical and information engineering, combat simulation, underwater acoustic engineering and navigation technology along with weapons systems and launch engineering and underwater ordnance technology. The academy also offers programs in combat tactics and the underwater combat environment.The Navy Submarine Academy pursues research that may contribute to Chinese anti-submarine warfare capabilities through the Underwater Operational Environment Military Key Laboratory (水下作战环境军队重点实验室). The academy also oversees part of the The publication record of researchers from the Navy Submarine Academy also suggests a strong interest in foreign developments in undersea warfare systems. In 2018, the Navy Submarine Academy signed a cooperative agreement with Harbin Engineering University (HEU). The agreement is directed at promoting research collaboration in subjects such as big data fusion, intelligent navigation, underwater acoustic target recognition, and underwater unmanned intelligent control systems.
The tag is: misp-galaxy:china-defence-universities="Navy Submarine Academy (中国人民解放军海军潜艇学院)"
Links |
https://unitracker.aspi.org.au/universities/navy-submarine-academy |
North China Institute of Aerospace Engineering (北华航天工业学院)
NCIAE specialises aerospace technology and engineering. The university is primarily run by the Hebei Provincial Government, together with the State Administration of Science, Technology and Industry for National Defense, China Aerospace Science and Technology Corporation (CASC), and China Aerospace Science and Industry Corporation (CASIC).NCIAE appears to be a major training center for CASC and CASIC, state-owned defence conglomerates that dominate China’s missile and satellite sector. NCIAE runs at least two research and development centres with CASC and was involved in the development of the Shenzhou spacecraft, Long March rockets and the DFH-5 satellite platform.In 2003, the Hebei Provincial Government, CASC and CASIC signed an agreement to jointly support NCIAE (pictured below, courtesy of NCIAE).
The tag is: misp-galaxy:china-defence-universities="North China Institute of Aerospace Engineering (北华航天工业学院)"
Links |
https://unitracker.aspi.org.au/universities/north-china-institute-of-aerospace-engineering |
North China University of Science and Technology (华北理工大学)
NCST was founded in 2010 and focuses on metallurgy and materials science. The university engages in growing levels of defence research since coming under the supervision of defence industry agency SASTIND in 2013.‘Military-use critical materials’ has been designated as a key defence research area at NCST.
The tag is: misp-galaxy:china-defence-universities="North China University of Science and Technology (华北理工大学)"
Links |
https://unitracker.aspi.org.au/universities/north-china-university-of-science-and-technology |
North University of China (中北大学)
NUC is a civilian university that specailises in defence research. It is jointly administered by the Shanxi Provincial Government and defence industry agency SASTIND. The university traces its roots back to an ordnance school established by the Eighth Route Army in 1941, and defence research is central to its identity. According to NUC’s website, ‘Our university has long established excellent and cooperative relationships with Central Military Commission departments, SASTIND, Norinco Group, China South Industries Group, China Aerospace Science and Technology Group, China Aerospace Science and Industry Group, and our graduates are spread across different areas in defence industry.’ Approximately 2000 of its graduates enter the defence industry each year.NUC specialises in testing and developing weapons, including tanks, missiles and explosives. Its Underground Target Damage Technology National Defense Key Subject Laboratory reportedly runs the only underground shooting range in a Chinese university. The university is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).
The tag is: misp-galaxy:china-defence-universities="North University of China (中北大学)"
Links |
https://unitracker.aspi.org.au/universities/north-university-of-china |
Northeastern University (东北大学)
NEU is a major civilian university subordinate to the Ministry of Education. The university hosts three national laboratories, all of which are related to industrial manufacturing technology.NEU engages in growing levels of defence research. It holds secret-level security credentials allowing it to participate in classified weapons projects and hosts the defence-focused Key Laboratory of Aerodynamic Equipment Vibration and Control. In 2018, NEU was approved to build a further five laboratories that could be involved in future defence or security-related research.In 2019, NEU joined the Shenyang Aircraft Design Institute Collaborative Innovation Alliance (沈阳飞机设计研究所协同创新联盟), a group of universities and institutes, led by defence conglomerate AVIC, that are involved in the development of military aircraft. NEU also runs a National Defense Science and Technology Development Research Institute (国防科技发展研究院). In 2019, the institute’s senior deputy director was awarded a China Industry-University-Research Cooperation Military-Civil Fusion Prize.
The tag is: misp-galaxy:china-defence-universities="Northeastern University (东北大学)"
Links |
https://unitracker.aspi.org.au/universities/northeastern-university |
Northwest Institute of Nuclear Technology (西北核技术研究所)
NINT is one of China’s main sites of nuclear technology research. While the Chinese Academy of Engineering Physics is believed to be China’s only manufacturer of nuclear warheads, NINT likely plays a supporting role in research for nuclear weapons. It is especially active in research on lasers, which can be used in nuclear fusion reactors or weapons. Aside from nuclear technology, NINT carries out research on topics including electronics, information science, materials science, control science and chemistry.NINT has partnerships with several institutes in the Chinese Academy of Sciences, Xiangtan University, Northwestern Polytechnical University, and Xi’an Jiaotong University.
The tag is: misp-galaxy:china-defence-universities="Northwest Institute of Nuclear Technology (西北核技术研究所)"
Links |
https://unitracker.aspi.org.au/universities/northwest-institute-of-nuclear-technology |
Northwestern Polytechnical University (西北工业大学)
The university is one of the ‘Seven Sons of National Defence’ subordinate to MIIT. It is heavily engaged in military research, describing itself as ‘devoted to improving and serving the national defence science and technology industry.’ NWPU’s research focuses on aviation, space and naval technology. Between 2014 and 2018, the university’s School of Mechanics, Civil Engineering and Architecture alone spent nearly RMB200 million (AUD40 million) on defence research projects. 41.25% of 2017 NWPU graduates who gained employment were working in the defence sector.NWPU is known for its development of unmanned aerial vehicles (UAVs). The only Chinese university hosting a UAV defence laboratory, NWPU produces the ASN series of UAVs though its subsidiary company, Aisheng Technology Group Co., Ltd. The Chinese military is the company’s largest customer and the company once claimed to produce 90% of China’s drones.The university has close ties to state-owned shipbuilding and aerospace conglomerates.
The tag is: misp-galaxy:china-defence-universities="Northwestern Polytechnical University (西北工业大学)"
Links |
https://unitracker.aspi.org.au/universities/northwestern-polytechnical-university |
Officers College of the PAP (中国人民武装警察部队警官学院)
The Officers College of the PAP was established as an institution devoted to training officers of China’s paramilitary service in command and engineering disciplines. The college’s research focusses on combat command, command information systems engineering, philosophy, law, political education, Chinese language and literature, history, mathematics, physics, applied psychology, electrical science and technology, computer science and technology, and management science and engineering.The Officers College of the PAP is especially active in developing drone technology. On 26 June 2019, the college tested its X-Swift unmanned aerial vehicles (UAV) for a test surveillance and reconnaissance flight with special operations personnel in Sichuan.The college is also active in developing applications for drone technology. Researchers from the college have collaborated with personnel from the PLA Logistics Engineering University to publish an article in favour of deploying UAVs to southern Xinjiang for counter-terrorism missions. The researchers argue for UAVs to be deployed for regional surveillance and strike as well as search and seizure missions in Xinjiang, drawing off lessons from the US coalition against ISIS.
The tag is: misp-galaxy:china-defence-universities="Officers College of the PAP (中国人民武装警察部队警官学院)"
Links |
https://unitracker.aspi.org.au/universities/officers-college-of-the-pap |
PAP NCO College (中国人民武装警察部队士官学校)
The PAP NCO College was established in 2017 following Xi Jinping’s reforms to China’s military education system. The college does not appear to engage in significant levels of defence research and focuses its attention on training enlisted personnel in China’s paramilitary service, the People’s Armed Police.
The tag is: misp-galaxy:china-defence-universities="PAP NCO College (中国人民武装警察部队士官学校)"
Links |
Peking University (北京大学)
PKU is considered among China’s most prestigious universities with a storied history. It is ranked as one of China’s top two academic institutions, along with Tsinghua University. Unsurprisingly, the university has been included in a number of the PRC’s educational initiatives, including as a Class A institution under the Double First-Class University program.PKU has been subject to at least two joint-supervision agreements between the Ministry of Education and defence industry agency SASTIND. These agreements, signed in 2012 and 2016, are designed to deepen the university’s involvement in defence research.PKU’s Advanced Technology Institute was founded in 2006 to oversee and develop the university’s defence research. Includes several research centres and supervises the university’s four major defence laboratories. The institute’s research covers semiconductors, nuclear technology, quantum physics, advanced materials, underwater acoustics, satellite navigation and communications, flight propulsion, aerospace engineering and microprocessors.In 2017, PKU and the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program—established the PKU–CAEP New Structure Center for Applied Physics and Technology (北京大学-中国工程物理研究院新体制应用物理与技术研究中心).. The institution was founded on the basis of the PKU Center for Applied Physics and Technology (北京大学应用物理与技术研究中心) established with CAEP in 2007. The joint centre carries out research on materials, lasers for atomic physics applications, laser plasma physics, computer science and fluid dynamics. PKU’s report on the centre notes that it will serve China’s national defence needs and that CAEP’s deputy director emphasised it should ‘take the path of military-civil fusion’. The joint centre’s honorary director and founding director, He Xiantu, is credited as the developer of China’s first neutron bomb.PKU takes precautions for the protection of classified information. The university has an office devoted to the secure handling of classified information, hosting regular meetings and training sessions to strengthen the university’s security culture. In 2006, the university received security credentials for participation in classified defence research.
The tag is: misp-galaxy:china-defence-universities="Peking University (北京大学)"
Links |
https://unitracker.aspi.org.au/universities/peking-university |
People’s Armed Police Command College (中国人民武装警察指挥学院)
The PAP Command College is an institution devoted to training officers in China’s paramilitary service, the People’s Armed Police, that was established in 1984. The college’s key subjects focus on law, engineering, military studies and management studies, but most attention is devoted to paramilitary training and political work. The PAP Command College maintains a focus on paramilitary training, but it does retain a scientific research program.Drone technology is another area of interest for the PAP Command College. The college was involved in testing the X-Swift unmanned aerial vehicle (UAV) in June 2019. Kang Jian from the college’s Scientific Research Department also attended the 2017 Drone World Congress hosted in Shenzhen.
The tag is: misp-galaxy:china-defence-universities="People’s Armed Police Command College (中国人民武装警察指挥学院)"
Links |
https://unitracker.aspi.org.au/universities/peoples-armed-police-command-college |
People’s Public Security University of China (中国人民公安大学)
PPSUC was founded in July 1948. In 1984, it was developed into a full-time higher education institution with master’s and bachelor’s degree programs. In 1998, it was merged with the Chinese People’s Police University (中国人民警官大学). Its schools include a Marxism School, Law School, Law and Order School, Investigation and Anti-Terrorism School, Criminology School, Pubic Security Management School, International Policing and Law Enforcement School, Police Training College (which covers combat training and command and tactical training), Criminal Science and Technology School, Information Technology and Network Security School, and a Traffic Management School.PPSUC is involved in the development of technological tools for public security applications, including image recognition. For instance, the university signed an agreement with Chinese video surveillance equipment manufacturer Hikvision in 2016 to set up a joint laboratory on video image recognition technology. In 2018, it signed a strategic cooperation agreement with Xiamen Meiya Pico Information Co., a Chinese company that provides digital forensics and information security products, which included upgrading a forensics laboratory and establishing a cyber security attack and defence laboratory.The university also has cooperation agreements with numerous local government-level public security bureaus across the PRC. These include agreements on image recognition technology for local public security bureaus and joint laboratories. For instance, in 2018 alongside the Nanshan sub-bureau of Shenzhen Public Security Bureau and the artificial intelligence companies SenseTime and Shenzhen Yuantian Lifei, it signed a strategic cooperation agreement on applying video recognition and the establishment of a joint laboratory.
The tag is: misp-galaxy:china-defence-universities="People’s Public Security University of China (中国人民公安大学)"
Links |
https://unitracker.aspi.org.au/universities/peoples-public-security-university-of-china |
Railway Police College (铁道警察学院)
The Railway Police College is China’s only institution of higher learning devoted to training specialists responsible for securing the Chinese railway network. In 2017, the college graduated over 1,000 personnel trained in disciplines such as surveillance studies, political security studies and safety management studies.
The tag is: misp-galaxy:china-defence-universities="Railway Police College (铁道警察学院)"
Links |
https://unitracker.aspi.org.au/universities/railway-police-college |
Renmin University (人民大学)
Renmin University is subordinate to the Ministry of Education and also supported by the Beijing Municipal Government. Its focus is in the humanities and social sciences. Although the university does not appear to have ties with the national defense industry, it was placed on the US Government’s Unverified List in April 2019, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.
The tag is: misp-galaxy:china-defence-universities="Renmin University (人民大学)"
Links |
https://unitracker.aspi.org.au/universities/renmin-university |
Rocket Force Command College (中国人民解放军火箭指挥学院)
The Rocket Force Command College is the PLA’s premier institute devoted to training cadets and early-to-mid career officers in conventional and nuclear missile campaigns. Candidates require understanding of battlefield command, management and campaign tactics prior to entry into the college. The college then builds on this knowledge by providing specialist training for missile campaigns.
The tag is: misp-galaxy:china-defence-universities="Rocket Force Command College (中国人民解放军火箭指挥学院)"
Links |
https://unitracker.aspi.org.au/universities/rocket-force-command-college |
Rocket Force Research Institute (中国人民解放军火箭军研究院)
The Rocket Force Research Institute develops nuclear and conventional ballistic missiles, carrying out research on warhead, guidance and control technology. It appears to be the successor to the PLA Second Artillery Equipment Academy (火箭军装备研究院) and the Rocket Force Equipment Academy (火箭军装备研究院). The institute reportedly hosts two national-level defence laboratories. It also has a strategic cooperation agreement with Beijing Institute of Technology, which hosts two state key laboratories that study impacts and explosions.
The tag is: misp-galaxy:china-defence-universities="Rocket Force Research Institute (中国人民解放军火箭军研究院)"
Links |
https://unitracker.aspi.org.au/universities/rocket-force-research-institute |
Rocket Force Sergeant School (中国人民解放军火箭军士官学校)
The Rocket Force Officer College is an institution devoted to training military personnel for China’s tactical and strategic missile forces that was established after Xi Jinping’s military reforms in 2017. The college’s focus is on providing technical training to personnel in the PLARF’s missile systems. However, the college has also produced research on underground engineering which would be useful to hardening bases for missile strikes.
The tag is: misp-galaxy:china-defence-universities="Rocket Force Sergeant School (中国人民解放军火箭军士官学校)"
Links |
https://unitracker.aspi.org.au/universities/rocket-force-sergeant-school |
Rocket Force University of Engineering (中国人民解放军火箭军工程大学)
RFUE is the PLA strategic missile force’s leading institution for training technical and scientific talent. Students entering the university tend to be university graduates and career members of the PLA Rocket Force.Defence research conducted by the RFUE focuses on building resilience and capabilities for conventional and nuclear missile strikes. RFUE hosts the Missile Testing and Control Virtual Simulation Experimental Teaching Center (导弹测试与控制虚拟仿真实验教学中心).The university’s key areas of research include:
The tag is: misp-galaxy:china-defence-universities="Rocket Force University of Engineering (中国人民解放军火箭军工程大学)"
Links |
https://unitracker.aspi.org.au/universities/rocket-force-university-of-engineering |
Shandong University (山东大学)
SDU is subordinate to the Ministry of Education. Since 2016, it has also been supervised by defence industry agency SASTIND as part of a program to expand universities’ involvement in defence research and training.SDU has pursued greater involvement in defence research since at least 2006, when it established a national defence research institute to coordinate relevant work across the university. Shortly afterwards, it received secret-level security credentials allowing it to participate and research and production for classified weapons and defence technology projects. In 2008, it was recognised as one of Shandong Province’s 10 outstanding defence industry units.SDU collaborates with the Chinese Academy of Engineering Physics, China’s nuclear warheads development facility, on topics including the development of crystals that are used in the study of nuclear explosions and research on fusion ignition.
The tag is: misp-galaxy:china-defence-universities="Shandong University (山东大学)"
Links |
https://unitracker.aspi.org.au/universities/shandong-university |
Shandong University of Technology (山东理工大学)
SDUT specialises in engineering and carries out growing levels of defence research. In 2018, SDUT became the only university in Shandong Province jointly supervised by defence industry agency SASTIND besides Shandong University. This indicates that SDUT’s involvement in defence research and links to the defence industry will grow in coming years.SASTIND has specifically indicated its intention to build up advanced materials and advanced manufacturing technology as areas of defence research at SDUT. SDUT has carried out research on mechatronic engineering for the defence industry, and developed a non-destructive testing system for ceramic antenna covers on missiles.
The tag is: misp-galaxy:china-defence-universities="Shandong University of Technology (山东理工大学)"
Links |
https://unitracker.aspi.org.au/universities/shandong-university-of-technology |
Shanghai Jiao Tong University (上海交通大学)
SJTU is directly under the administration of the MOE. In 2016 it also came under the supervision of defence industry agency SASTIND as part of a ‘joint construction’ agreement between the MOE and SASTIND.The university has at least three laboratories focused on defense research relating to materials science, ships and hydrodynamics. The defence labs have established substantial collaborative research and talent development relationships with hydrodynamics research groups at universities including MIT, Cornell, and the Danish Technical University.One of the university’s strongest departments is computer science. Its computer science program has garnered support from American tech companies such as Cisco Systems and Microsoft, which collaborated on establishing a laboratory for intelligent computing and intelligent systems at the university. In particular, the School of Information Security Engineering, has ties to the PLA through its dean and chief professor who both previously worked for the PLA. SJTU also has ties to the PLA Unit 61398, a cyber espionage unit that has been implicated in cyber attacks on the United States.SJTU is also known for its involvement in maritime research. The School of Naval Architecture, Ocean & Civil Engineering cooperates extensively with other universities from around the world as well as with many domestic industrial enterprises, such as defence conglomerate CSIC and CASC. The school is the lead unit of the High-tech Ship and Deep-Sea Development Equipment Collaborative Innovation Center (高新船舶与深海开发装备协同创新中心), where it has contributed to assisting the PLA Navy’s transition to offshore defense operations.
The tag is: misp-galaxy:china-defence-universities="Shanghai Jiao Tong University (上海交通大学)"
Links |
https://unitracker.aspi.org.au/universities/shanghai-jiaotong-university |
Shanghai University (上海大学)
SHU is engaged in growing levels of defence research. In 2016, the Shanghai Municipal Government and defence industry agency SASTIND agreed to jointly supervise and support its participation in defence research.Shanghai University has begun building up its capability in defence research in areas such as unmanned surface vehicles, materials for missiles, and microwave technology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.Shanghai University’s Research Institute of Unmanned Surface Vehicle Engineering researches and produces unmanned surface vessels, some of which are for the China Maritime Safety Administration.
The tag is: misp-galaxy:china-defence-universities="Shanghai University (上海大学)"
Links |
https://unitracker.aspi.org.au/universities/shanghai-university |
Shenyang Aerospace University (沈阳航空航天大学)
SAU is the only university formally under the supervision of China’s military aircraft manufacturer, AVIC. SAU engages in high levels of defence research and describes itself as a base for training talent in national defence science and technology. Serving China’s military aviation industry is what SAU refers to as its ‘glorious tradition’.Many of China’s military aircraft are designed and built in Shenyang, which is home to AVIC subsidiaries Shenyang Aircraft Design Institute and Shenyang Aircraft Corporation. SAU and AVIC work closely together, including through a joint research institute.
The tag is: misp-galaxy:china-defence-universities="Shenyang Aerospace University (沈阳航空航天大学)"
Links |
https://unitracker.aspi.org.au/universities/shenyang-aerospace-university |
Shenyang Ligong University (沈阳理工大学)
SYLU is a civilian university that specialises in defence research. The university’s primary areas of defence research are armament science, information and communications engineering, control science, materials science and mechanical engineering. Apart from Xi’an Technological University, SYLU is the only Chinese civilian university supervised by state-owned arms manufacturers Norinco Group and China South Industries Group. In 2016, it also came under the supervision of defence industry agency SASTIND.SYLU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). The university runs a weapons museum on its campus. Furthermore, SYLU is a member of the Liaoning Military-Civil Fusion Arms Industry-College Alliance (辽宁军民融合(兵工)产业校企联盟) and SYLU’s president doubles as chairman of the alliance. This indicates close ties between SYLU and China’s arms industry.
The tag is: misp-galaxy:china-defence-universities="Shenyang Ligong University (沈阳理工大学)"
Links |
https://unitracker.aspi.org.au/universities/shenyang-ligong-university |
Shenzhen University (深圳大学)
SZU is the primary university in China’s rapidly growing technology hub, Shenzhen. The university does not appear to engage in high levels of defence research outside of its national defence laboratory on automatic target recognition. The laboratory was founded in 2001, is overseen by the PLA and SASTIND, and is headed by the university’s former president.
The tag is: misp-galaxy:china-defence-universities="Shenzhen University (深圳大学)"
Links |
https://unitracker.aspi.org.au/universities/shenzhen-university |
Shijiazhuang Tiedao University (石家庄铁道大学)
STDU specializes in transportation science, engineering and information technology. Its predecessor was the PLA Railway Engineering College.Since 2013, STDU has also been supervised by defence industry agency SASTIND through an arrangement designed to expand the university’s involvement in defense-related research and training. STDU has secret-level security credentials, allowing it to participate in classified defense technology research.STDU is home to the National Defense Transportation Research Institute (国防交通研究所), which is the only civilian university research institute that specializes in national defense transportation research. STDU is also home to the Institute of Complex Networks and Visualisations (复杂网络与可视化研究所), which develops military-use information processing software including remote-control systems for aerospace applications.
The tag is: misp-galaxy:china-defence-universities="Shijiazhuang Tiedao University (石家庄铁道大学)"
Links |
https://unitracker.aspi.org.au/universities/shijiazhuang-tiedao-university |
Sichuan University (四川大学)
Sichuan University (SCU) is a leading Chinese university subordinate to the Ministry of Education. In 2011 and again in 2016 SCU was the subject of joint construction agreements between the MOE and defence industry agency SASTIND designed to increase its involvement in defence research.The university hosts at least three laboratories that focus on defence research and has a close relationship with the Chinese Academy of Engineering Physics (CAEP), the PRC’s primary nuclear warheads research facility. SCU’s Institute of Atomic and Molecular Physics and CAEP jointly established the Institute of Atomic and Molecular Engineering and the Institute of High Temperature and High Pressure Physics. In 2012, SCU was added to the US BIS Entity List as an alias of CAEP, implying that it acts as a proxy for the facility.A 2011 study by American think tank Project 2049 concluded that a PLA signals intelligence unit ‘likely maintain a close, mutually supportive relationship with related organizations in Chengdu, such as Sichuan University’s Information Security and Network Attack and Defense Laboratory (四川大学信息安全及网络攻防研究室).’
The tag is: misp-galaxy:china-defence-universities="Sichuan University (四川大学)"
Links |
https://unitracker.aspi.org.au/universities/sichuan-university |
Soochow University (苏州大学)
Soochow University has been jointly supervised by the Jiangsu Provincial Government and defence industry agency SASTIND since 2016. This arrangement is designed to expand the university’s involvement in defense-related research and training.The university has five designated defence disciplines, centred around research on radiation. In particular, its School of Radiation Medicine and Protection has strong defence links, as it has become a major teaching and research base for the nuclear industry.Suzhou University is also involved in promoting military-civil fusion. The university cooperated with Changfeng Science Technology Industry Group (a subsidiary of missile manufacturer CASC) and Suzhou Xinkuan Electronic Technology Co., Ltd. to jointly establish the ‘Suzhou University Military-Civil Fusion Internet of Things Collaborative Innovation Center.’
The tag is: misp-galaxy:china-defence-universities="Soochow University (苏州大学)"
Links |
https://unitracker.aspi.org.au/universities/soochow-university |
South China University of Technology (华南理工大学)
SCUT is subordinate to the Ministry of Education and in 2018 was placed under a joint-construction agreement between the MOE and SASTIND. This arrangement is designed to develop the university’s involvement in defence-related research and training. SCUT also holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects. As a result of the university’s placement under joint construction and its secret-level security credentials, SCUT’s involvement in defence research is likely to grow in coming years.Since 2008, the university has hosted a defence research laboratory on materials science. The lab was initially run by the university’s president. In 2017, the university joined the Guangzhou Civil-Military Integration Industry Coalition. More recently in 2019, SCUT and iFlytek established an artificial intelligence company, Guangzhou Huanan Naokong Zhineng Keji Gongsi (广州华南脑控智能科技公司).
The tag is: misp-galaxy:china-defence-universities="South China University of Technology (华南理工大学)"
Links |
https://unitracker.aspi.org.au/universities/south-china-university-of-technology |
Southeast University (东南大学)
SEU is a leading Chinese university that engages in high levels of defence research. In 2015, the university undertook RMB180m (AUD37m) of defence research projects, placing it among the Ministry of Education universities most involved in defence research. That figure has almost certainly grown since 2016, when SEU came under a ‘joint construction’ agreement between the Ministry of Education and defence industry agency SASTIND. The university has secret security credentials, enabling it to participate in secret defence projects.The university has also been linked to cyberespionage. Researchers at its School of Cyber Science and Engineering (网络空间安全学院) have been funded by the MSS, China’s civilian intelligence agency. The School of Cyber Science and Engineering has close ties to TopSec, a Chinese information security company that trains, recruits and works with PLA cyber security officers.SEU states that its defence research relies on its excellence in electronics. It has at least two laboratories that specialise in defence research on navigation technology and underwater acoustics. Both laboratories may be involved in developing technology for underwater warfare. Representatives from the PLA Navy’s Submarine Academy visited SEU in 2017.SEU has also built relationships with state-owned defence conglomerates. In 2017, the university signed a strategic cooperation agreement with missile-manufacturer China Aerospace Science and Industry Corporation. In 2018 and 2019, it signed similar agreements with subsidiaries of China Electronics Technology Group Corporation, China’s leading manufacturer of military electronics.
The tag is: misp-galaxy:china-defence-universities="Southeast University (东南大学)"
Links |
https://unitracker.aspi.org.au/universities/southeast-university |
Southwest University of Science and Technology (西南科技大学)
SWUST is deeply engaged in defence research and is based in Mianyang, a city also home to China’s nuclear weapons program and many other parts of the defence industry. Since 2006, the university has been subject to several joint construction agreements between the Sichuan Provincial Government and SASTIND that are designed to increase its involvement in defence research.SWUST carries out defence-related research on nuclear waste, radiation protection and electronic information engineering. It holds secret-level security credentials, allowing it to undertake classified defence technology and weapons projects. The university’s main defence laboratory carries out research on topics such as the use of microorganisms to clean nuclear waste.SWUST has worked closely with the Chinese Academy of Engineering Physics (China’s nuclear warheads program), China Aerodynamics Research and Development Center (a PLA base specialising in aircraft design), and defence conglomerates since its establishment. The fact that the university hosts the province’s ‘Civil-military Integration Institute’ is a testament to its integration with the military and defence industry.
The tag is: misp-galaxy:china-defence-universities="Southwest University of Science and Technology (西南科技大学)"
Links |
https://unitracker.aspi.org.au/universities/southwest-university-of-science-and-technology |
Space Engineering University (中国人民解放军战略支援部队航天工程大学)
SEU was established in June 2017 as an expansion of the former PLA Equipment Academy (装备学院). SEU describes itself as a ‘comprehensive university that trains talents for space command management and engineering.’ It is intended to serve as the ‘cradle of the new PLA’s space talent training.’ The SEU is subordinate to and supports the PLA Strategic Support Force’s Space Systems Department (航天系统部), which has taken over the space and potentially counterspace capabilities that were previously the purview of the former General Armaments Department and, to a lesser degree, the former General Staff Department.The SEU offers degree programs at the undergraduate, master’s, and doctoral levels, as well as programs for non-commissioned officers, across disciplines including space target surveillance, remote sensing science and technology, and aerospace information security. Its faculty include nine CMC Science and Technology Commission experts and twenty professors who are designated as expert defence science and technology advisors.Beyond its mission of talent cultivation, the SEU also engages in extensive research. In particular, the SEU has a total of eighteen laboratories, which include two national-level key laboratories and one military-level key laboratory.
The tag is: misp-galaxy:china-defence-universities="Space Engineering University (中国人民解放军战略支援部队航天工程大学)"
Links |
https://unitracker.aspi.org.au/universities/space-engineering-university |
Special Police Academy (中国武装警察部队特种警察学院)
SPA is made up of departments for training, political work and logistics. As such, SPA engages in little defence research and focusses its activities on training special operations paramilitary troops in command processes.
The tag is: misp-galaxy:china-defence-universities="Special Police Academy (中国武装警察部队特种警察学院)"
Links |
https://unitracker.aspi.org.au/universities/special-police-academy |
Sun Yat-sen University (中山大学)
SYSU is a leading Chinese university subordinate to the Ministry of Education. In 2018, it come under the joint supervision of MOE and defence industry agency SASTIND. This development indicates that SYSU’s involvement in the defence industry and defence research is growing.The university has a large defence research budget. In 2018, it spent nearly RMB200 million (AUD41 million) on defence research out of its total research budget of RMB3.1 billion (AUD640 million).SYSU is linked to the Chinese military through its National Supercomputer Center in Guangzhou (国家超级计算广州中心), which was placed on the US Government Entity List in 2015 for its role in nuclear weapons development. The centre was jointly established with the PLA National University of Defense Technology in 2011 to host the Tianhe-2 supercomputer. The supercomputer is operated by the National University of Defense Technology and was the world’s fastest from 2013 to 2015.Aside from the supercomputer center, SYSU’s Key Laboratory of Information Science is the only known lab focused on defence research and is located within the School of Electronics and Information Technology.In 2010, the university established a State Secrets Academy (国家保密学院), serving as the third university in China to establish such an institute in partnership with China’s National Administration of State Secrets Protection (国家保密局). The Institute carries out research and training on the protection of state secrets.
The tag is: misp-galaxy:china-defence-universities="Sun Yat-sen University (中山大学)"
Links |
https://unitracker.aspi.org.au/universities/sun-yat-sen-university |
Tianjin Polytechnic University (天津工业大学)
TJPU is known for its research in the field of textile science and engineering. It is jointly supervised by the Ministry of Education and the city of Tianjin. In 2018, defence industry agency SASTIND and the Tianjin Municipal Government signed an agreement to jointly support TJPU. The purpose of the agreement is to support the university’s development of defence disciplines, construction of defence laboratories, and training of defence scientists. Through this arrangement, SASTIND involves universities in military research projects and supports collaboration between universities and the defence industry. The university also holds secret-level security credentials that allow it to participate in classified defence technology projects.Tianjin Polytechnic University hosts one state key lab and two MOE key labs. One of the MOE key labs and the state key lab are located within the School of Material Science and Engineering. Additionally, TJPU’s School of Textile Science and Engineering has conducted R&D that has been applied to industries in aerospace, defense, transportation, civil engineering, among others. The School of Textile Science and Engineering has reportedly become a backbone of research and innovation for China’s textile industry.
The tag is: misp-galaxy:china-defence-universities="Tianjin Polytechnic University (天津工业大学)"
Links |
https://unitracker.aspi.org.au/universities/tianjin-polytechnic-university |
Tianjin University (天津大学)
TJU is under the administration of the Ministry of Education and has also been supervised by defence industry agency SASTIND since 2012. The university has second-class security credentials, allowing it to participate in classified research projects at the level of ‘secret’. It hosts two defence laboratories, working on optoelectronics and propellants.In 2015, A professor at Tianjin University was arrested by U.S. federal agents and accused of economic espionage and technology theft. He had been a professor in the School of Precision Instrument and Opto-electronics Engineering, which is home to one of the MOE labs involved in defense research. TJU is also a member of several international engineering alliances and has one National Defense Technology Innovation Team.TJU carries out research for the Ministry of State Security (MSS), China’s civilian intelligence agency. It has hosted at least one MSS researcher and its scientists have been awarded for their work for the MSS on communication and information engineering.
The tag is: misp-galaxy:china-defence-universities="Tianjin University (天津大学)"
Links |
https://unitracker.aspi.org.au/universities/tianjin-university |
Tongji University (同济大学)
Tongji University recognized for its work in architecture, civil engineering, marine geology, and transportation engineering. The university established the only state key laboratory of deep-sea geology, which plays an important role in China’s deep-sea observation and serves as a significant platform for the country’s marine strategy.The university’s involvement in marine research likely stems from its joint construction with the State Oceanic Administration (SOA). In 2010, the Ministry of Education and the State Oceanic Administration signed to jointly establish 17 universities, a collaboration aimed at enhancing the ability to cultivate marine talents in universities, develop marine science and technology, and make contributions to the development of China’s marine industry.Tongji University has secret-level security credentials and is home to one Ministry of Education laboratory dedicated to defense research. In April 2019, the university was placed on the U.S. Unverified List, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.
The tag is: misp-galaxy:china-defence-universities="Tongji University (同济大学)"
Links |
https://unitracker.aspi.org.au/universities/tongji-university |
Tsinghua University (清华大学)
Tsinghua University is considered China’s leading university in science and technology. Often characterized as ‘China’s MIT,’ Tsinghua is highly ranked globally, while also being the alma mater of numerous Chinese leaders, including Xi Jinping. Tsinghua has been included in numerous Chinese educational initiatives, including acting as a Class A institution in the Double First-Class University Plan and with membership in China’s C9 League. As of spring 2018, Tsinghua University had 390 research institutions operating across a range of fields.Tsinghua engages in a range of military research and was awarded secret-level security credentials for classified research in 2007. In advancing military-civil fusion, Tsinghua also continues its ‘fine tradition’ of serving China’s national security and defense, actively creating new platforms and initiatives to support this strategy. Not only its dedicated defence laboratories but also a range of key laboratories and research institutions at the university have received funding from the military. Since at least 2012, Tsinghua has also been jointly supervised by defence industry agency SASTIND as part of a program to deepen its defence research and links to the defence sector.Tsinghua’s defence research covers areas such as artificial intelligence, air-to-air missiles, navigation technology, instrument science and materials science.The university trains students for China’s nuclear weapons program, military and defence industry. In 2014 it signed a strategic cooperation agreement with the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program. In 2016, CAEP’s Materials Institute and Tsinghua established a joint postgraduate training base for teaching, research collaboration and equipment sharing.Approximately 200 postgraduate students at Tsinghua are sponsored by CAEP or defence industry conglomerates each year through the Chinese government’s National Defence Science and Technology Scholarship program. Scholarship recipients are required to work for their sponsoring organisation for five years after graduating. Roughly 2000 of the scholarships are awarded each year, indicating that Tsinghua students are among the primary recipients of them. Documents published by Tsinghua indicate that CAEP planned to sponsor 40 PhD students to study nuclear technology in 2013. CAEP continues to sponsor Tsinghua postgraduates. In 2004, Tsinghua agreed to supervise doctoral students from the PLA’s Second Artillery Engineering University, now known as the Rocket Force University of Engineering.
The tag is: misp-galaxy:china-defence-universities="Tsinghua University (清华大学)"
Links |
https://unitracker.aspi.org.au/universities/tsinghua-university |
University of Electronic Science and Technology of China (电子科技大学)
UESTC was established in 1961 as one of China’s first defence industry universities. It is now subordinate to the Ministry of Education (MOE) and is also jointly supervised by defence industry agencies MIIT and SASTIND, as well as the Chinese military’s leading electronics manufacturer, China Electronics Technology Group Corporation (CETC).The university is one of China’s leading universities for defence electronics research. It claims to rank among the top MOE universities in terms of the scale of its defence research. Between 2011 and 2015, its annual spending on defence research grew by 210% to RMB400 million (AUD80 million) and may account for as much as 32% of its overall research spending. 16.43% of UESTC graduates in 2017 who found employment were working in the defence sector. UESTC gained secret-level security credentials about a decade ago, probably in 2006, making it one of the first MOE universities to hold them.UESTC research has been used by state-owned manufacturers of military aircraft, missiles, and military electronics and the PLA Navy on projects such as the JF-17 fighter and the Navy’s aircraft carrier program.UESTC’s defence research covers areas including electronics, microwaves, terahertz technology, anti-jamming technology and signal processing, communication systems, military-use critical materials, optoelectric imaging. Between 2001 and 2005, UESTC undertook over 900 military electronics projects worth in excess of RMB500 million (AUD104 million).UESTC’s research on artificial intelligence has attracted scrutiny for its human rights implications. In 2015, a professor recruited by UESTC through the Thousand Talents Plan established a company called Koala AI. The company produces artificial intelligence surveillance systems that are used in Xinjiang, where an estimated 1.5 million Uyghurs and other ethnic minorities have disappeared into concentration camps.UESTC has close relationships with the Chinese defence industry. The university operates a national laboratory on high-power radiation with the Chinese Academy of Engineering Physics, the PRC’s primary nuclear warhead research complex. CETC, a state-owned defence conglomerate, partnered jointly with the MOE to developUESTC’s capabilities. Under the arrangement, UESTC agreed to expand its collaboration with CETC, help train CETC personnel and send its best students to work at CETC. Defence industry agency SASTIND also signed agreements to supervise UESTC in 2008 and 2016.
The tag is: misp-galaxy:china-defence-universities="University of Electronic Science and Technology of China (电子科技大学)"
Links |
https://unitracker.aspi.org.au/universities/university-of-electronic-science-and-technology-of-china |
University of International Relations (国际关系学院)
UIR claims was established in 1949 under the direction of then Premier Zhou Enlai. In 1964 it was designated as a ‘national key university’, and this appears to be the evidence it uses to claim it is a Ministry of Education university. However, the university does not appear on the Ministry of Education’s list of subordinate universities.Individuals formerly and presently affiliated with the university have also held affiliations with the MSS or the MSS-linked think tank the China Institutes of Contemporary International Relations (中国现代国际关系研究院). They include Geng Huichang (耿惠昌), a former Minister of State Security (2007-2016) and vice minister of State Security (1998-2007). Prior to this he was the head of China Institutes of Contemporary International Relations from 1992 to 1998. From 1990 to 1992, he was the director of UIR’s American Research Department and from 1985-1990 he was deputy director of the American Research department. Notably, current UIR President Tao Jian is also a former CICIR vice-president and a UIR graduate.UIR gives the MSS a way to work with foreign universities and academics to shape and learn about perceptions of the PRC’s views on security. It also provides a platform for the MSS to identify talent, recruit officers and collect intelligence.The university’s Hangzhou campus, also known as the Zhejiang Second People’s Police School, may carry out more practical training of MSS officers and has been described on a local government website as ‘specialising in training special talent’. Some graduates of the Hangzhou campus have moved straight into MSS positions. The Hangzhou campus works closely with Zhejiang University on teaching and research.
The tag is: misp-galaxy:china-defence-universities="University of International Relations (国际关系学院)"
Links |
https://unitracker.aspi.org.au/universities/university-of-international-relations |
University of Science and Technology Beijing (北京科技大学)
USTC is a leading university subordinate to the MOE. The university engages in high levels of defence research and claims be among the top MOE universities for defence spending. Since 2018, it has been under a joint-construction agreement between the MOE and defence industry agency SASTIND that is designed to expand its involvement in defence research.USTB is known as the ‘cradle of steel’ for its training and research on metallurgy. The university’s defence research appears to focus on metallurgy and materials science. It hosts at least three laboratories dedicated to defence research, including two that are jointly run with state-owned defence conglomerates. The head of USTB’s Institute of Advanced Materials and Technology also heads a SASTIND-supported defence science and technology innovation team.The university holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence technology projects.
The tag is: misp-galaxy:china-defence-universities="University of Science and Technology Beijing (北京科技大学)"
Links |
https://unitracker.aspi.org.au/universities/university-of-science-and-technology-beijing |
University of Science and Technology of China (中国科学技术大学)
The University of Science and Technology of China is among China’s most prestigious universities in science and technology. Uniquely, it was established and is supervised by the Chinese Academy of Sciences, intended to serve national objectives in science and technology. Xi Jinping personally inspected USTC in 2016, urging it to pursue “even more outstanding achievements in teaching and innovation.” It is a member of the C9 League and in the “211 Project” and “985 Project.” While providing undergraduate and graduate-level education, USTC is also highly active in research across a number of major laboratories, including several that support research that is related to national defense and the development of dual-use technologies, such as brain-inspired approaches to artificial intelligence and quantum information science. USTC has a long history of contributions to science in the service of the state, and it has recently sought to deepen its contributions to military research, including through establishing a new center for military-civil fusion. Several USTC professors, including prominently Pan Jianwei, have partnered with the defense industry to pursue military applications of their technologies.
The tag is: misp-galaxy:china-defence-universities="University of Science and Technology of China (中国科学技术大学)"
Links |
https://unitracker.aspi.org.au/universities/university-of-science-and-technology-of-china |
University of Shanghai for Science and Technology (上海理工大学)
USST describes itself as a ‘university with defence characteristics’. It has been under the joint supervision of Shanghai and defence industry agency SASTIND since 2016.It is engaged in growing levels of defence research and holds second-class weapons research and development secrecy credentials, allowing it to undertake classified projects. In 2017, its spending on defence research reached RMB13 million (AUD2.6 million).SASTIND has designated areas with the fields of optics, energy and control science as defence disciplines at USST, indicating that the university’s defence research focuses on these areas.In 2017, The university established a joint venture on terahertz radiation technology with subsidiaries of defence conglomerate Norinco Group.
The tag is: misp-galaxy:china-defence-universities="University of Shanghai for Science and Technology (上海理工大学)"
Links |
https://unitracker.aspi.org.au/universities/university-of-shanghai-for-science-and-technology |
University of South China (南华大学)
USC specialises in nuclear engineering. It has a well-developed defence research program and has been the subject of several joint-construction agreements between the Hunan Provincial Government and defence industry agency SASTIND since 2002. These agreements are designed to ‘support USC in going a step further to display its defence characteristics based on the development needs of the defence technology industry.’ USC is also supervised by China National Nuclear Corporation, a state-owned defence nuclear engineering conglomerate.USC carries out large amounts of defence research related to nuclear engineering, as well as work on information technology, communications engineering, control engineering and electrical engineering. The university received secret level security credentials in 2008, allowing it to work on classified defence projects.
The tag is: misp-galaxy:china-defence-universities="University of South China (南华大学)"
Links |
https://unitracker.aspi.org.au/universities/university-of-south-china |
Wuhan University (武汉大学)
WHU is a leading Chinese university subordinate to the Ministry of Education. The university has close ties to the military and has been subject to a joint-supervision agreement between the Ministry of Education and defence industry agency SASTIND since 2016, an arrangement designed to increase its involvement in defence research. In 2015, WHU planned to spend RMB200 million (AUD42 million) on defence research for the year and described itself as ‘a university with a strong reputation in the defence science and technology field’.WHU carries out defence research in a wide range of fields, including navigation, computer simulation, electronic information, electromagnetics, aerospace remote sensing, materials science, cyber security and explosions. The university is an important site of research for China’s Beidou satellite navigation system.Aside from being involved in defence research, there are strong indications that WHU has carried out cyber attacks for the People’s Liberation Army. One of the university’s two defence laboratories purportedly established by the Ministry of Education, the Key Laboratory of Aerospace Information Security and Trusted Computing, has been accused by unnamed US and Taiwanese officials of carrying out cyberattacks.
The tag is: misp-galaxy:china-defence-universities="Wuhan University (武汉大学)"
Links |
https://unitracker.aspi.org.au/universities/wuhan-university |
Wuhan University of Technology (武汉理工大学)
WHUT is subordinate to the Ministry of Education. The university originally specialised in research relating to construction, transport and automobiles. It engages in high levels of defence research and has been under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND since 2016. It holds secret-level security credentials.The university hosts two Ministry of Education laboratories dedicated to defence research on materials science and ship technology. WHUT also works closely with the PLA Air Force on defensive engineering such as the construction of aircraft bunkers and underground shelters. Since 2001, WHUT and the Guangdong Military Region Air Force Engineering and Construction Bureau have run a joint research institute, which ‘takes advantage of [WHUT’s] State Key Laboratory of Advanced Technology for Materials Synthesis and Processing’. ‘In 2012, the PLA Air Force Logistics Department and WHUT held a signing ceremony inaugurating the “Air Force-level Military-Civil Fusion Air Defence Engineering Construction Technology Innovation Platform Cooperation Agreement” (空军级军民融合式空防工程建设科技创新平台合作协议)’. The same department in cooperation with WHUT also jointly established the Air Force Air Defence Engineering Construction Technology Innovation Platform (空军级空防工程建设科技创新平台), with ‘the goal of innovating mutually beneficial technologies.’
The tag is: misp-galaxy:china-defence-universities="Wuhan University of Technology (武汉理工大学)"
Links |
https://unitracker.aspi.org.au/universities/wuhan-university-of-technology |
Xi’an Jiaotong University (西安交通大学)
XJTU is subordinate to the Ministry of Education. It is also supervised by SASTIND as part of a program to develop defense research capabilities within Chinese universities. The university describes its strategy as being ‘based in Shaanxi, geared toward the needs of the nation, and serving the national defense industry.’The university is advanced in its implementation of military-civil fusion and has established strategic partnerships with China Aerospace Science and Technology Corporation, China Aerospace Science and Industry Corporation, and the Aero Engine Corporation of China. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Xi’an Jiaotong University (西安交通大学)"
Links |
https://unitracker.aspi.org.au/universities/xian-jiaotong-university |
Xi’an Technological University (西安工业大学)
XATU is a civilian university that primarily engages in defence research. XATU describes itself as ‘having distinct defence-industrial characteristics’ and is heavily involved in weapons development. Since 2016, it has been subject to a ‘joint construction’ agreement between the Shaanxi Provincial Government and defence industry agency SASTIND designed to deepen its defence links.The university’s main areas of defence research include photoelectric imaging technology, manufacturing technology, materials science, detection and measurement technology and weapons systems. It holds secret-level security credentials.XATU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). Apart from Shenyang Ligong University, XATU is the only Chinese civilian university known to be supervised by state-owned arms manufacturers China North Industries Group (Norinco Group) and China South Industries Group.
The tag is: misp-galaxy:china-defence-universities="Xi’an Technological University (西安工业大学)"
Links |
https://unitracker.aspi.org.au/universities/xian-technological-university |
Xi’an University of Posts and Telecommunications (西安邮电大学)
XUPT is a leading Chinese university supervised by the Shaanxi Provincial Government and the Department of Information Technology. The university was established in 1959 as an institution focused on communications and information technology. XUPT retains a focus on these discipline to this day. XUPT’s faculties include college focusing on artificial intelligence, automation, cyber security and electrical engineering.XUPT maintains close links to China’s Ministry of Public Security (MPS). The university has signed agreements and established joint laboratories with the MPS’s local counterparts.In November 2013, XUPT partnered with the Shaanxi Municipal Government’s public security ministry to establish the MPS Key Laboratory of Electronic Information Application Technology for Scene Investigation (公安部电子信息现场勘验应用技术重点实验室). This was the first such joint laboratory that the MPS established with a university in any of China’s five north-western provinces.XUPT partnered with Xi’an’s Yanta District Public Security Bureau branch in November 2018, establishing the ‘Joint Laboratory for Smart Public Security Information Analysis and Applications’ (公安信息智能分析及应用联合实验室). The joint laboratory develops applications of artificial intelligence for analysing criminal information.
The tag is: misp-galaxy:china-defence-universities="Xi’an University of Posts and Telecommunications (西安邮电大学)"
Links |
https://unitracker.aspi.org.au/universities/xian-university-of-posts-and-telecommunications |
Xiamen University (厦门大学)
XMU is one of China’s leading universities, but it does not appear to engage in high levels of defence research. However, in 2018 it came under a joint supevision agreement between the Ministry of Education, the Fujian Provincial Government and defence industry agency SASTIND that indicates XMU will expand its involvement in defence research. The arrangement is designed to ‘upgrade the university’s ability to innovate defence science and technology and actively integrate itself with the development of military-civil fusion.’In 2017, XMU allegedly conspired with Huawei to steal trade secrets from CNEX Labs Inc., an American semiconductor startup. CNEX claims that Huawei and XMU engaged in a multiyear conspiracy to steal the company’s solid-state drive computer storage technology.The university appears to be involved in the development of military-use heavy-duty coatings. In 2017, XMU, Fujian Normal University, Fujian Liheng Paint Co. Ltd. (福建立恒涂料有限公司) and People’s Liberation Army Unit 63983 jointly established the Haixi Liheng New Materials Research Institute (海西立恒新材料研究院). Fujian Liheng Paint specialises in heavy-duty coatings for warships and holds confidential-level security credentials, allowing it to participate in classified defence projects.
The tag is: misp-galaxy:china-defence-universities="Xiamen University (厦门大学)"
Links |
https://unitracker.aspi.org.au/universities/xiamen-university |
Xiangtan University (湘潭大学)
XTU is a university in Chairman Mao Zedong’s hometown that has substantially expanded its participation in defence research in recent years. It has been subject to two ‘joint construction’ agreements between the Hunan Provincial Government and defence industry agency SASTIND that are designed to help the university ‘draw out its national defence characteristics’. In the university’s own words, its ‘military-civil fusion characteristics are becoming clearer with each day’, and it increased its spending on military-related projects by 60% from 2017 to 2018, spending over RMB31 million (AUD6 million) in 2018.XTU’s defence research covers areas including materials science, energy, measurement technology and electromagnetic waves. The university has developed partnerships with a major PLA nuclear technology research institution, Northwest Institute of Nuclear Technology, and several defence companies, including subsidiaries of arms manufacturer Norinco Group and defence aviation conglomerate Aero Engine Corporation of China.XTU holds secret-level security credentials, allowing it to participate in classified defence technology projects.
The tag is: misp-galaxy:china-defence-universities="Xiangtan University (湘潭大学)"
Links |
https://unitracker.aspi.org.au/universities/xiangtan-university |
Xidian University (西安电子科技大学)
Xidian Univeristy is among China’s top universities for research on antennas, radar, electronic countermeasures and computer science. The university is subordinate to the Ministry of Education and is also jointly supervised by defence industry agency SASTIND and defence electronics conglomerate CETC. It claims it has ‘made important contributions to military modernisation’.The university is closely tied to China’s defense industry and the PLA. It runs at least five defence laboratories and partners with the PLA’s signals intelligence organization. Xidian appears to be an important training ground for Chinese military hackers. According to Xidian’s party secretary, the university has had an ‘unbreakable bond with secret intelligence work since its beginning’. It also holds secret-level security credentials that allow it to work on classified weapons projects.
The tag is: misp-galaxy:china-defence-universities="Xidian University (西安电子科技大学)"
Links |
https://unitracker.aspi.org.au/universities/xidian-university |
Yanshan University (燕山大学)
The university was formed as an offshoot of Harbin Institute of Technology, one of China’s top defence universities, in 1960. The university continues to prioritise defence research and is jointly supervised by the Hebei Provincial Government together with the Ministry of Education, Ministry of Industry and Information Technology and defence industry agency SASTIND.YSU’s Defense Science and Technology Institute was established in 2006 under the support of COSTIND (a defence industry agency that has been replaced by SASTIND) to expand and oversee defence research at the university. The institute has driven the university’s involvement in space-related defence research through the establishment of laboratories such as the Key Laboratory of Fundamental Science of Mechanical Structure and Materials Science Under Extreme Conditions. Four fields of research at YSU are officially designated as defence disciplines: control theory and control science, electrical circuits and systems, mechanical design and theory, and materials science and engineering.The university holds secret-level security credentials.
The tag is: misp-galaxy:china-defence-universities="Yanshan University (燕山大学)"
Links |
https://unitracker.aspi.org.au/universities/yanshan-university |
Yunnan Normal University (云南师范大学)
YNNU is a Chinese university subordinate to the Yunnan Provincial Government. Since 2013 it has also been supervised by the Ministry of Education. The university has been focused on training teacher since its inception as the Kunming Teachers College (昆明示范学院) in 1950. YNNU now has a broader focus on a variety of humanities, social and natural science disciplines.YNNU is organised into numerous faculties, some of which are relevant for communist party cadre training:
The tag is: misp-galaxy:china-defence-universities="Yunnan Normal University (云南师范大学)"
Links |
https://unitracker.aspi.org.au/universities/yunnan-normal-university |
Zhejiang University (浙江大学)
ZJU is subordinate to the Ministry of Education and jointly constructed with defence industry agency SASTIND. This arrangement with SASTIND began in 2016 and is designed to deepend the university’s involvement in defence research. The university holds secret-level security credentials, allowing it to work on classified military projects.The university’s total research funding amounts to RMB4.56 billion (AUD940 million) in 2018. It has at least three defence laboratories, with one source claiming that the university had ten key national laboratories (国家重点实验室) as of 2015. These laboratories are involved in research on computer simulations, high-performance computing and control science. The university also carries out cyber security research and receives funding for this work from the MSS, China’s civilian intelligence agency.ZJU cooperates extensively with international universities and companies, with upwards of 40 international joint S&T research labs. The College of Electrical Engineering has joint labs with U.S. companies in key industries, such as Rockwell Automation in the field of information technology, and the National Semiconductor Corporation. Additionally, the university has a joint research lab with U.S company Microsoft.
The tag is: misp-galaxy:china-defence-universities="Zhejiang University (浙江大学)"
Links |
https://unitracker.aspi.org.au/universities/zhejiang-university |
CONCORDIA Mobile Modelling Framework - Attack Pattern
A list of Techniques in CONCORDIA Mobile Modelling Framework..
CONCORDIA Mobile Modelling Framework - Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Bernardo Santos, OsloMet (Norway) - Prof. Dr. Thanh van Do, Telenor Research (Norway) - Luis Barriga, Ericsson AB (Sweden) - Prof. Boning Feng, OsloMet (Norway) - Van Thuan Do, Wolffia AS (Norway) - Bruno Dzogovic, OsloMet (Norway) - Niels Jacot, Wolffia AS (Norway)
Gather UE Identity Information
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Identity Information"
Gather UE Network Information
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Network Information"
Phishing for Information
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Phishing for Information"
Compromise Infrastructure
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Infrastructure"
Exploit Public-Facing Application
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application"
Malicious App from App Store
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from App Store"
Malicious App from Third Party
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from Third Party"
Masquerade as Legitimate Application
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerade as Legitimate Application"
Exploit via Charging Station or PC
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Charging Station or PC"
Exploit via Radio Interfaces
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Radio Interfaces"
Rogue Cellular Base Station
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Rogue Cellular Base Station"
Insider attacks and human errors
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Insider attacks and human errors"
Command and Scripting Interpreter
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Command and Scripting Interpreter"
Boot or Logon Autostart Execution
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution"
Modify Cached Executable Code
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Cached Executable Code"
Compromise Application Executable
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Application Executable"
Modify OS Kernel or Boot Partition
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Modify OS Kernel or Boot Partition"
Event Triggered Execution
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Event Triggered Execution"
Disguise Root/Jailbreak Indicators
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Disguise Root/Jailbreak Indicators"
Evade Analysis Environment
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Evade Analysis Environment"
Modify Trusted Execution Environment
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Trusted Execution Environment"
Obfuscated Files or Information
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Obfuscated Files or Information"
Suppress Application Icon
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Suppress Application Icon"
Uninstall Malicious Application
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Uninstall Malicious Application"
Install Insecure or Malicious Configuration
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Install Insecure or Malicious Configuration"
Exploitation for Defense Evasion
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploitation for Defense Evasion"
Security Audit Camouflage
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Security Audit Camouflage"
Modify Authentication Process
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Authentication Process"
System Network Connections Discovery
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery"
Internal Resource Search
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Internal Resource Search"
Abusing Inter-working Functionalities
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Abusing Inter-working Functionalities"
Replication Through Bluetooth
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through Bluetooth"
Replication Through WLAN
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through WLAN"
Exploit platform & service specific vulnerabilites
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit platform & service specific vulnerabilites"
Access Sensitive Data in Device Logs
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Access Sensitive Data in Device Logs"
Network Traffic Capture or Redirection
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Network Traffic Capture or Redirection"
Network-specific identifiers
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific identifiers"
Application Layer Protocol
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Application Layer Protocol"
Communication via Bluetooth
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via Bluetooth"
Exploit SS7 to Redirect Phone Calls/SMS
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS"
Exploit SS7 to Track Device Location
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Track Device Location"
Alternate Network Mediums
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Alternate Network Mediums"
Endpoint Denial of Service
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Endpoint Denial of Service"
Manipulate Device Communication
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Manipulate Device Communication"
Jamming or Denial of Service
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Jamming or Denial of Service"
Network Denial of Service
TBD
The tag is: misp-galaxy:cmtmf-attack-pattern="Network Denial of Service"
Country
Country meta information based on the database provided by geonames.org..
Country is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
geonames.org
bosnia and herzegovina
Bosnia and Herzegovina
The tag is: misp-galaxy:country="bosnia and herzegovina"
bonaire, saint eustatius and saba
Bonaire, Saint Eustatius and Saba
The tag is: misp-galaxy:country="bonaire, saint eustatius and saba "
democratic republic of the congo
Democratic Republic of the Congo
The tag is: misp-galaxy:country="democratic republic of the congo"
central african republic
Central African Republic
The tag is: misp-galaxy:country="central african republic"
south georgia and the south sandwich islands
South Georgia and the South Sandwich Islands
The tag is: misp-galaxy:country="south georgia and the south sandwich islands"
heard island and mcdonald islands
Heard Island and McDonald Islands
The tag is: misp-galaxy:country="heard island and mcdonald islands"
british indian ocean territory
British Indian Ocean Territory
The tag is: misp-galaxy:country="british indian ocean territory"
northern mariana islands
Northern Mariana Islands
The tag is: misp-galaxy:country="northern mariana islands"
saint pierre and miquelon
Saint Pierre and Miquelon
The tag is: misp-galaxy:country="saint pierre and miquelon"
svalbard and jan mayen
Svalbard and Jan Mayen
The tag is: misp-galaxy:country="svalbard and jan mayen"
turks and caicos islands
Turks and Caicos Islands
The tag is: misp-galaxy:country="turks and caicos islands"
french southern territories
French Southern Territories
The tag is: misp-galaxy:country="french southern territories"
united states minor outlying islands
United States Minor Outlying Islands
The tag is: misp-galaxy:country="united states minor outlying islands"
united states of america
United States of America
The tag is: misp-galaxy:country="united states of america"
saint vincent and the grenadines
Saint Vincent and the Grenadines
The tag is: misp-galaxy:country="saint vincent and the grenadines"
british virgin islands
British Virgin Islands
The tag is: misp-galaxy:country="british virgin islands"
Cryptominers
A list of cryptominer and cryptojacker malware..
Cryptominers is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Cisco Talos - raw-data
Lemon Duck
The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.
The tag is: misp-galaxy:cryptominers="Lemon Duck"
Lemon Duck is also known as:
Links |
https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html |
https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/ |
WannaMine
WannaMine is a cryptojacker that takes advantage of EternalBlue.
The tag is: misp-galaxy:cryptominers="WannaMine"
WannaMine is also known as:
Blue Mockingbird Cryptominer
Blue Mockingbird Crypto miner is a crypto-mining payload within DLLs on Windows Systems.
The tag is: misp-galaxy:cryptominers="Blue Mockingbird Cryptominer"
Links |
Krane
The Krane malware uses SSH brute-force techniques to drop the XMRig cryptominer on the target to mine for the Hashvault pool.
The tag is: misp-galaxy:cryptominers="Krane"
Links |
Hezb
“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.
The tag is: misp-galaxy:cryptominers="Hezb"
Links |
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/ |
Actor Types
DISARM is a framework designed for describing and understanding disinformation incidents..
Actor Types is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
DISARM Project
data scientist
Person who can wrangle data, implement machine learning algorithms etc
The tag is: misp-galaxy:disarm-actortypes="data scientist"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A001.md |
target
Person being targeted by disinformation campaign
The tag is: misp-galaxy:disarm-actortypes="target"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A002.md |
trusted authority
Influencer
The tag is: misp-galaxy:disarm-actortypes="trusted authority"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A003.md |
activist
The tag is: misp-galaxy:disarm-actortypes="activist"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A004.md |
community group
The tag is: misp-galaxy:disarm-actortypes="community group"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A005.md |
educator
The tag is: misp-galaxy:disarm-actortypes="educator"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A006.md |
factchecker
Someone with the skills to verify whether information posted is factual
The tag is: misp-galaxy:disarm-actortypes="factchecker"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A007.md |
library
The tag is: misp-galaxy:disarm-actortypes="library"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A008.md |
NGO
The tag is: misp-galaxy:disarm-actortypes="NGO"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A009.md |
religious organisation
The tag is: misp-galaxy:disarm-actortypes="religious organisation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A010.md |
school
The tag is: misp-galaxy:disarm-actortypes="school"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A011.md |
account owner
Anyone who owns an account online
The tag is: misp-galaxy:disarm-actortypes="account owner"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A012.md |
content creator
The tag is: misp-galaxy:disarm-actortypes="content creator"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A013.md |
elves
The tag is: misp-galaxy:disarm-actortypes="elves"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A014.md |
general public
The tag is: misp-galaxy:disarm-actortypes="general public"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A015.md |
influencer
The tag is: misp-galaxy:disarm-actortypes="influencer"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A016.md |
coordinating body
For example the DHS
The tag is: misp-galaxy:disarm-actortypes="coordinating body"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A017.md |
government
Government agencies
The tag is: misp-galaxy:disarm-actortypes="government"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A018.md |
military
The tag is: misp-galaxy:disarm-actortypes="military"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A019.md |
policy maker
The tag is: misp-galaxy:disarm-actortypes="policy maker"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A020.md |
media organisation
The tag is: misp-galaxy:disarm-actortypes="media organisation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A021.md |
company
The tag is: misp-galaxy:disarm-actortypes="company"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A022.md |
adtech provider
The tag is: misp-galaxy:disarm-actortypes="adtech provider"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A023.md |
developer
The tag is: misp-galaxy:disarm-actortypes="developer"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A024.md |
funding_site_admin
Funding site admin
The tag is: misp-galaxy:disarm-actortypes="funding_site_admin"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A025.md |
games designer
The tag is: misp-galaxy:disarm-actortypes="games designer"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A026.md |
information security
The tag is: misp-galaxy:disarm-actortypes="information security"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A027.md |
platform administrator
The tag is: misp-galaxy:disarm-actortypes="platform administrator"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A028.md |
server admininistrator
The tag is: misp-galaxy:disarm-actortypes="server admininistrator"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A029.md |
platforms
The tag is: misp-galaxy:disarm-actortypes="platforms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A030.md |
social media platform adminstrator
Person with the authority to make changes to algorithms, take down content etc.
The tag is: misp-galaxy:disarm-actortypes="social media platform adminstrator"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A031.md |
social media platform outreach
The tag is: misp-galaxy:disarm-actortypes="social media platform outreach"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A032.md |
social media platform owner
Person with authority to make changes to a social media company’s business model
The tag is: misp-galaxy:disarm-actortypes="social media platform owner"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/actortypes/A033.md |
Countermeasures
DISARM is a framework designed for describing and understanding disinformation incidents..
Countermeasures is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
DISARM Project
Charge for social media
Include a paid-for privacy option, e.g. pay Facebook for an option of them not collecting your personal information. There are examples of this not working, e.g. most people don’t use proton mail etc.
The tag is: misp-galaxy:disarm-countermeasures="Charge for social media"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00006.md |
Create shared fact-checking database
Share fact-checking resources - tips, responses, countermessages, across respose groups.
The tag is: misp-galaxy:disarm-countermeasures="Create shared fact-checking database"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00008.md |
Educate high profile influencers on best practices
Find online influencers. Provide training in the mechanisms of disinformation, how to spot campaigns, and/or how to contribute to responses by countermessaging, boosting information sites etc.
The tag is: misp-galaxy:disarm-countermeasures="Educate high profile influencers on best practices"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00009.md |
Enhanced privacy regulation for social media
Implement stronger privacy standards, to reduce the ability to microtarget community members.
The tag is: misp-galaxy:disarm-countermeasures="Enhanced privacy regulation for social media"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00010.md |
Media literacy. Games to identify fake news
Create and use games to show people the mechanics of disinformation, and how to counter them.
The tag is: misp-galaxy:disarm-countermeasures="Media literacy. Games to identify fake news"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00011.md |
Platform regulation
Empower existing regulators to govern social media. Also covers Destroy. Includes: Include the role of social media in the regulatory framework for media. The U.S. approach will need to be carefully crafted to protect First Amendment principles, create needed transparency, ensure liability, and impose costs for noncompliance. Includes Create policy that makes social media police disinformation. Includes: Use fraud legislation to clean up social media
The tag is: misp-galaxy:disarm-countermeasures="Platform regulation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00012.md |
Rating framework for news
This is "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news. Example: journalistic ethics, or journalistic licencing body. Include full transcripts, link source, add items.
The tag is: misp-galaxy:disarm-countermeasures="Rating framework for news"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00013.md |
Real-time updates to fact-checking database
Update fact-checking databases and resources in real time. Especially import for time-limited events like natural disasters.
The tag is: misp-galaxy:disarm-countermeasures="Real-time updates to fact-checking database"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00014.md |
Censorship
Alter and/or block the publication/dissemination of information controlled by disinformation creators. Not recommended.
The tag is: misp-galaxy:disarm-countermeasures="Censorship"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00016.md |
Repair broken social connections
For example, use a media campaign to promote in-group to out-group in person communication / activities . Technique could be in terms of forcing a reality-check by talking to people instead of reading about bogeymen.
The tag is: misp-galaxy:disarm-countermeasures="Repair broken social connections"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00017.md |
Reduce effect of division-enablers
includes Promote constructive communication by shaming division-enablers, and Promote playbooks to call out division-enablers
The tag is: misp-galaxy:disarm-countermeasures="Reduce effect of division-enablers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00019.md |
Encourage in-person communication
Encourage offline communication
The tag is: misp-galaxy:disarm-countermeasures="Encourage in-person communication"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00021.md |
Innoculate. Positive campaign to promote feeling of safety
Used to counter ability based and fear based attacks
The tag is: misp-galaxy:disarm-countermeasures="Innoculate. Positive campaign to promote feeling of safety"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00022.md |
Promote healthy narratives
Includes promoting constructive narratives i.e. not polarising (e.g. pro-life, pro-choice, pro-USA). Includes promoting identity neutral narratives.
The tag is: misp-galaxy:disarm-countermeasures="Promote healthy narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00024.md |
Shore up democracy based messages
Messages about e.g. peace, freedom. And make it sexy. Includes Deploy Information and Narrative-Building in Service of Statecraft: Promote a narrative of transparency, truthfulness, liberal values, and democracy. Implement a compelling narrative via effective mechanisms of communication. Continually reassess messages, mechanisms, and audiences over time. Counteract efforts to manipulate media, undermine free markets, and suppress political freedoms via public diplomacy
The tag is: misp-galaxy:disarm-countermeasures="Shore up democracy based messages"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00026.md |
Create culture of civility
This is passive. Includes promoting civility as an identity that people will defend.
The tag is: misp-galaxy:disarm-countermeasures="Create culture of civility"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00027.md |
Make information provenance available
Blockchain audit log and validation with collaborative decryption to post comments. Use blockchain technology to require collaborative validation before posts or comments are submitted. This could be used to adjust upvote weight via a trust factor of people and organisations you trust, or other criteria.
The tag is: misp-galaxy:disarm-countermeasures="Make information provenance available"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00028.md |
Create fake website to issue counter narrative and counter narrative through physical merchandise
Create websites in disinformation voids - spaces where people are looking for known disinformation.
The tag is: misp-galaxy:disarm-countermeasures="Create fake website to issue counter narrative and counter narrative through physical merchandise"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00029.md |
Develop a compelling counter narrative (truth based)
The tag is: misp-galaxy:disarm-countermeasures="Develop a compelling counter narrative (truth based)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00030.md |
Dilute the core narrative - create multiple permutations, target / amplify
Create competing narratives. Included "Facilitate State Propaganda" as diluting the narrative could have an effect on the pro-state narrative used by volunteers, or lower their involvement.
The tag is: misp-galaxy:disarm-countermeasures="Dilute the core narrative - create multiple permutations, target / amplify"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00031.md |
Hijack content and link to truth- based info
Link to platform
The tag is: misp-galaxy:disarm-countermeasures="Hijack content and link to truth- based info"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00032.md |
Create more friction at account creation
Counters fake account
The tag is: misp-galaxy:disarm-countermeasures="Create more friction at account creation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00034.md |
Infiltrate the in-group to discredit leaders (divide)
All of these would be highly affected by infiltration or false-claims of infiltration.
The tag is: misp-galaxy:disarm-countermeasures="Infiltrate the in-group to discredit leaders (divide)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00036.md |
third party verification for people
counters fake experts
The tag is: misp-galaxy:disarm-countermeasures="third party verification for people"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00040.md |
Address truth contained in narratives
Focus on and boost truths in misinformation narratives, removing misinformation from them.
The tag is: misp-galaxy:disarm-countermeasures="Address truth contained in narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00042.md |
Keep people from posting to social media immediately
Platforms can introduce friction to slow down activities, force a small delay between posts, or replies to posts.
The tag is: misp-galaxy:disarm-countermeasures="Keep people from posting to social media immediately"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00044.md |
Marginalise and discredit extremist groups
Reduce the credibility of extremist groups posting misinformation.
The tag is: misp-galaxy:disarm-countermeasures="Marginalise and discredit extremist groups"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00046.md |
Honeypot with coordinated inauthentics
Flood disinformation spaces with obviously fake content, to dilute core misinformation narratives in them.
The tag is: misp-galaxy:disarm-countermeasures="Honeypot with coordinated inauthentics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00047.md |
Name and Shame Influencers
Think about the different levels: individual vs state-sponsored account. Includes “call them out” and “name and shame”. Identify social media accounts as sources of propaganda—“calling them out”— might be helpful to prevent the spread of their message to audiences that otherwise would consider them factual. Identify, monitor, and, if necessary, target externally-based nonattributed social media accounts. Impact of and Dealing with Trolls - "Chatham House has observed that trolls also sometimes function as decoys, as a way of “keeping the infantry busy” that “aims to wear down the other side” (Lough et al., 2014). Another type of troll involves “false accounts posing as authoritative information sources on social media”.
The tag is: misp-galaxy:disarm-countermeasures="Name and Shame Influencers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00048.md |
Counter social engineering training
Includes anti-elicitation training, phishing prevention education.
The tag is: misp-galaxy:disarm-countermeasures="Counter social engineering training"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00051.md |
Infiltrate platforms
Detect and degrade
The tag is: misp-galaxy:disarm-countermeasures="Infiltrate platforms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00052.md |
Delete old accounts / Remove unused social media accounts
remove or remove access to (e.g. stop the ability to update) old social media accounts, to reduce the pool of accounts available for takeover, botnets etc.
The tag is: misp-galaxy:disarm-countermeasures="Delete old accounts / Remove unused social media accounts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00053.md |
Encourage people to leave social media
Encourage people to leave spcial media. We don’t expect this to work
The tag is: misp-galaxy:disarm-countermeasures="Encourage people to leave social media"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00056.md |
Report crowdfunder as violator
counters crowdfunding. Includes ‘Expose online funding as fake”.
The tag is: misp-galaxy:disarm-countermeasures="Report crowdfunder as violator"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00058.md |
Verification of project before posting fund requests
third-party verification of projects posting funding campaigns before those campaigns can be posted.
The tag is: misp-galaxy:disarm-countermeasures="Verification of project before posting fund requests"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00059.md |
Legal action against for-profit engagement factories
Take legal action against for-profit "factories" creating misinformation.
The tag is: misp-galaxy:disarm-countermeasures="Legal action against for-profit engagement factories"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00060.md |
Free open library sources worldwide
Open-source libraries could be created that aid in some way for each technique. Even for Strategic Planning, some open-source frameworks such as DISARM can be created to counter the adversarial efforts.
The tag is: misp-galaxy:disarm-countermeasures="Free open library sources worldwide"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00062.md |
Reduce political targeting
Includes “ban political micro targeting” and “ban political ads”
The tag is: misp-galaxy:disarm-countermeasures="Reduce political targeting"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00065.md |
Co-opt a hashtag and drown it out (hijack it back)
Flood a disinformation-related hashtag with other content.
The tag is: misp-galaxy:disarm-countermeasures="Co-opt a hashtag and drown it out (hijack it back)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00066.md |
Denigrate the recipient/ project (of online funding)
Reduce the credibility of groups behind misinformation-linked funding campaigns.
The tag is: misp-galaxy:disarm-countermeasures="Denigrate the recipient/ project (of online funding)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00067.md |
Block access to disinformation resources
Resources = accounts, channels etc. Block access to platform. DDOS an attacker. TA02*: DDOS at the critical time, to deny an adversary’s time-bound objective. T0008: A quick response to a proto-viral story will affect it’s ability to spread and raise questions about their legitimacy. Hashtag: Against the platform, by drowning the hashtag. T0046 - Search Engine Optimisation: Sub-optimal website performance affect its search engine rank, which I interpret as "blocking access to a platform".
The tag is: misp-galaxy:disarm-countermeasures="Block access to disinformation resources"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00070.md |
Block source of pollution
Block websites, accounts, groups etc connected to misinformation and other information pollution.
The tag is: misp-galaxy:disarm-countermeasures="Block source of pollution"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00071.md |
Remove non-relevant content from special interest groups - not recommended
Check special-interest groups (e.g. medical, knitting) for unrelated and misinformation-linked content, and remove it.
The tag is: misp-galaxy:disarm-countermeasures="Remove non-relevant content from special interest groups - not recommended"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00072.md |
Inoculate populations through media literacy training
Use training to build the resilience of at-risk populations. Educate on how to handle info pollution. Push out targeted education on why it’s pollution. Build cultural resistance to false content, e.g. cultural resistance to bullshit. Influence literacy training, to inoculate against “cult” recruiting. Media literacy training: leverage librarians / library for media literacy training. Inoculate at language. Strategic planning included as inoculating population has strategic value. Concepts of media literacy to a mass audience that authorities launch a public information campaign that teaches the programme will take time to develop and establish impact, recommends curriculum-based training. Covers detect, deny, and degrade.
The tag is: misp-galaxy:disarm-countermeasures="Inoculate populations through media literacy training"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00073.md |
Identify and delete or rate limit identical content
C00000
The tag is: misp-galaxy:disarm-countermeasures="Identify and delete or rate limit identical content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00074.md |
normalise language
normalise the language around disinformation and misinformation; give people the words for artefact and effect types.
The tag is: misp-galaxy:disarm-countermeasures="normalise language"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00075.md |
Prohibit images in political discourse channels
Make political discussion channels text-only.
The tag is: misp-galaxy:disarm-countermeasures="Prohibit images in political discourse channels"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00076.md |
Active defence: run TA15 "develop people” - not recommended
Develop networks of communities and influencers around counter-misinformation. Match them to misinformation creators
The tag is: misp-galaxy:disarm-countermeasures="Active defence: run TA15 "develop people” - not recommended"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00077.md |
Change Search Algorithms for Disinformation Content
Includes “change image search algorithms for hate groups and extremists” and “Change search algorithms for hate and extremist queries to show content sympathetic to opposite side”
The tag is: misp-galaxy:disarm-countermeasures="Change Search Algorithms for Disinformation Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00078.md |
Create competing narrative
Create counternarratives, or narratives that compete in the same spaces as misinformation narratives. Could also be degrade
The tag is: misp-galaxy:disarm-countermeasures="Create competing narrative"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00080.md |
Highlight flooding and noise, and explain motivations
Discredit by pointing out the "noise" and informing public that "flooding" is a technique of disinformation campaigns; point out intended objective of "noise"
The tag is: misp-galaxy:disarm-countermeasures="Highlight flooding and noise, and explain motivations"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00081.md |
Ground truthing as automated response to pollution
Also inoculation.
The tag is: misp-galaxy:disarm-countermeasures="Ground truthing as automated response to pollution"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00082.md |
Modify disinformation narratives, and rebroadcast them
Includes “poison pill recasting of message” and “steal their truths”. Many techniques involve promotion which could be manipulated. For example, online fundings or rallies could be advertised, through compromised or fake channels, as being associated with "far-up/down/left/right" actors. "Long Game" narratives could be subjected in a similar way with negative connotations. Can also replay technique T0003.
The tag is: misp-galaxy:disarm-countermeasures="Modify disinformation narratives, and rebroadcast them"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00084.md |
Mute content
Rate-limit disinformation content. Reduces its effects, whilst not running afoul of censorship concerns. Online archives of content (archives of websites, social media profiles, media, copies of published advertisements; or archives of comments attributed to bad actors, as well as anonymized metadata about users who interacted with them and analysis of the effect) is useful for intelligence analysis and public transparency, but will need similar muting or tagging/ shaming as associated with bad actors.
The tag is: misp-galaxy:disarm-countermeasures="Mute content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00085.md |
Distract from noise with addictive content
Example: Interject addictive links or contents into discussions of disinformation materials and measure a "conversion rate" of users who engage with your content and away from the social media channel’s "information bubble" around the disinformation item. Use bots to amplify and upvote the addictive content.
The tag is: misp-galaxy:disarm-countermeasures="Distract from noise with addictive content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00086.md |
Make more noise than the disinformation
The tag is: misp-galaxy:disarm-countermeasures="Make more noise than the disinformation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00087.md |
Fake engagement system
Create honeypots for misinformation creators to engage with, and reduce the resources they have available for misinformation campaigns.
The tag is: misp-galaxy:disarm-countermeasures="Fake engagement system"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00090.md |
Honeypot social community
Set honeypots, e.g. communities, in networks likely to be used for disinformation.
The tag is: misp-galaxy:disarm-countermeasures="Honeypot social community"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00091.md |
Establish a truth teller reputation score for influencers
Includes "Establish a truth teller reputation score for influencers” and “Reputation scores for social media users”. Influencers are individuals or accounts with many followers.
The tag is: misp-galaxy:disarm-countermeasures="Establish a truth teller reputation score for influencers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00092.md |
Influencer code of conduct
Establish tailored code of conduct for individuals with many followers. Can be platform code of conduct; can also be community code.
The tag is: misp-galaxy:disarm-countermeasures="Influencer code of conduct"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00093.md |
Force full disclosure on corporate sponsor of research
Accountability move: make sure research is published with its funding sources.
The tag is: misp-galaxy:disarm-countermeasures="Force full disclosure on corporate sponsor of research"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00094.md |
Strengthen institutions that are always truth tellers
Increase credibility, visibility, and reach of positive influencers in the information space.
The tag is: misp-galaxy:disarm-countermeasures="Strengthen institutions that are always truth tellers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00096.md |
Require use of verified identities to contribute to poll or comment
Reduce poll flooding by online taking comments or poll entries from verified accounts.
The tag is: misp-galaxy:disarm-countermeasures="Require use of verified identities to contribute to poll or comment"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00097.md |
Revocation of allowlisted or "verified" status
remove blue checkmarks etc from known misinformation accounts.
The tag is: misp-galaxy:disarm-countermeasures="Revocation of allowlisted or "verified" status"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00098.md |
Strengthen verification methods
Improve content veerification methods available to groups, individuals etc.
The tag is: misp-galaxy:disarm-countermeasures="Strengthen verification methods"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00099.md |
Hashtag jacking
Post large volumes of unrelated content on known misinformation hashtags
The tag is: misp-galaxy:disarm-countermeasures="Hashtag jacking"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00100.md |
Create friction by rate-limiting engagement
Create participant friction. Includes Make repeat voting hard, and throttle number of forwards.
The tag is: misp-galaxy:disarm-countermeasures="Create friction by rate-limiting engagement"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00101.md |
Create a bot that engages / distract trolls
This is reactive, not active measure (honeypots are active). It’s a platform controlled measure.
The tag is: misp-galaxy:disarm-countermeasures="Create a bot that engages / distract trolls"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00103.md |
Buy more advertising than misinformation creators
Shift influence and algorithms by posting more adverts into spaces than misinformation creators.
The tag is: misp-galaxy:disarm-countermeasures="Buy more advertising than misinformation creators"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00105.md |
Click-bait centrist content
Create emotive centrist content that gets more clicks
The tag is: misp-galaxy:disarm-countermeasures="Click-bait centrist content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00106.md |
Content moderation
includes social media content take-downs, e.g. facebook or Twitter content take-downs
The tag is: misp-galaxy:disarm-countermeasures="Content moderation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00107.md |
Dampen Emotional Reaction
Reduce emotional responses to misinformation through calming messages, etc.
The tag is: misp-galaxy:disarm-countermeasures="Dampen Emotional Reaction"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00109.md |
Reduce polarisation by connecting and presenting sympathetic renditions of opposite views
The tag is: misp-galaxy:disarm-countermeasures="Reduce polarisation by connecting and presenting sympathetic renditions of opposite views"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00111.md |
"Prove they are not an op!"
Challenge misinformation creators to prove they’re not an information operation.
The tag is: misp-galaxy:disarm-countermeasures=""Prove they are not an op!""
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00112.md |
Debunk and defuse a fake expert / credentials.
Debunk fake experts, their credentials, and potentially also their audience quality
The tag is: misp-galaxy:disarm-countermeasures="Debunk and defuse a fake expert / credentials."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00113.md |
Don’t engage with payloads
Stop passing on misinformation
The tag is: misp-galaxy:disarm-countermeasures="Don’t engage with payloads"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00114.md |
Expose actor and intentions
Debunk misinformation creators and posters.
The tag is: misp-galaxy:disarm-countermeasures="Expose actor and intentions"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00115.md |
Provide proof of involvement
Build and post information about groups etc’s involvement in misinformation incidents.
The tag is: misp-galaxy:disarm-countermeasures="Provide proof of involvement"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00116.md |
Downgrade / de-amplify so message is seen by fewer people
Label promote counter to disinformation
The tag is: misp-galaxy:disarm-countermeasures="Downgrade / de-amplify so message is seen by fewer people"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00117.md |
Repurpose images with new text
Add countermessage text to iamges used in misinformation incidents.
The tag is: misp-galaxy:disarm-countermeasures="Repurpose images with new text"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00118.md |
Engage payload and debunk.
debunk misinformation content. Provide link to facts.
The tag is: misp-galaxy:disarm-countermeasures="Engage payload and debunk."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00119.md |
Open dialogue about design of platforms to produce different outcomes
Redesign platforms and algorithms to reduce the effectiveness of disinformation
The tag is: misp-galaxy:disarm-countermeasures="Open dialogue about design of platforms to produce different outcomes"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00120.md |
Tool transparency and literacy for channels people follow.
Make algorithms in platforms explainable, and visible to people using those platforms.
The tag is: misp-galaxy:disarm-countermeasures="Tool transparency and literacy for channels people follow."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00121.md |
Remove or rate limit botnets
reduce the visibility of known botnets online.
The tag is: misp-galaxy:disarm-countermeasures="Remove or rate limit botnets"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00123.md |
Don’t feed the trolls
Don’t engage with individuals relaying misinformation.
The tag is: misp-galaxy:disarm-countermeasures="Don’t feed the trolls"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00124.md |
Prebunking
Produce material in advance of misinformation incidents, by anticipating the narratives used in them, and debunking them.
The tag is: misp-galaxy:disarm-countermeasures="Prebunking"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00125.md |
Social media amber alert
Create an alert system around disinformation and misinformation artefacts, narratives, and incidents
The tag is: misp-galaxy:disarm-countermeasures="Social media amber alert"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00126.md |
Create friction by marking content with ridicule or other "decelerants"
Repost or comment on misinformation artefacts, using ridicule or other content to reduce the likelihood of reposting.
The tag is: misp-galaxy:disarm-countermeasures="Create friction by marking content with ridicule or other "decelerants""
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00128.md |
Use banking to cut off access
fiscal sanctions; parallel to counter terrorism
The tag is: misp-galaxy:disarm-countermeasures="Use banking to cut off access"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00129.md |
Mentorship: elders, youth, credit. Learn vicariously.
Train local influencers in countering misinformation.
The tag is: misp-galaxy:disarm-countermeasures="Mentorship: elders, youth, credit. Learn vicariously."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00130.md |
Seize and analyse botnet servers
Take botnet servers offline by seizing them.
The tag is: misp-galaxy:disarm-countermeasures="Seize and analyse botnet servers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00131.md |
Deplatform Account*
Note: Similar to Deplatform People but less generic. Perhaps both should be left.
The tag is: misp-galaxy:disarm-countermeasures="Deplatform Account*"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00133.md |
Deplatform message groups and/or message boards
Merged two rows here.
The tag is: misp-galaxy:disarm-countermeasures="Deplatform message groups and/or message boards"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00135.md |
Microtarget most likely targets then send them countermessages
Find communities likely to be targetted by misinformation campaigns, and send them countermessages or pointers to information sources.
The tag is: misp-galaxy:disarm-countermeasures="Microtarget most likely targets then send them countermessages"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00136.md |
Spam domestic actors with lawsuits
File multiple lawsuits against known misinformation creators and posters, to distract them from disinformation creation.
The tag is: misp-galaxy:disarm-countermeasures="Spam domestic actors with lawsuits"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00138.md |
Weaponise youtube content matrices
God knows what this is. Keeping temporarily in case we work it out.
The tag is: misp-galaxy:disarm-countermeasures="Weaponise youtube content matrices"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00139.md |
"Bomb" link shorteners with lots of calls
Applies to most of the content used by exposure techniques except "T0055 - Use hashtag”. Applies to analytics
The tag is: misp-galaxy:disarm-countermeasures=""Bomb" link shorteners with lots of calls"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00140.md |
Platform adds warning label and decision point when sharing content
Includes “this has been disproved: do you want to forward it”. Includes “"Hey this story is old" popup when messaging with old URL” - this assumes that this technique is based on visits to an URL shortener or a captured news site that can publish a message of our choice. Includes “mark clickbait visually”.
The tag is: misp-galaxy:disarm-countermeasures="Platform adds warning label and decision point when sharing content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00142.md |
(botnet) DMCA takedown requests to waste group time
Use copyright infringement claims to remove videos etc.
The tag is: misp-galaxy:disarm-countermeasures="(botnet) DMCA takedown requests to waste group time"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00143.md |
Buy out troll farm employees / offer them jobs
Degrade the infrastructure. Could e.g. pay to not act for 30 days. Not recommended
The tag is: misp-galaxy:disarm-countermeasures="Buy out troll farm employees / offer them jobs"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00144.md |
Make amplification of social media posts expire (e.g. can’t like/ retweet after n days)
Stop new community activity (likes, comments) on old social media posts.
The tag is: misp-galaxy:disarm-countermeasures="Make amplification of social media posts expire (e.g. can’t like/ retweet after n days)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00147.md |
Add random links to network graphs
If creators are using network analysis to determine how to attack networks, then adding random extra links to those networks might throw that analysis out enough to change attack outcomes. Unsure which DISARM techniques.
The tag is: misp-galaxy:disarm-countermeasures="Add random links to network graphs"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00148.md |
Poison the monitoring & evaluation data
Includes Pollute the AB-testing data feeds: Polluting A/B testing requires knowledge of MOEs and MOPs. A/B testing must be caught early when there is relatively little data available so infiltration of TAs and understanding of how content is migrated from testing to larger audiences is fundamental.
The tag is: misp-galaxy:disarm-countermeasures="Poison the monitoring & evaluation data"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00149.md |
Take pre-emptive action against actors' infrastructure
Align offensive cyber action with information operations and counter disinformation approaches, where appropriate.
The tag is: misp-galaxy:disarm-countermeasures="Take pre-emptive action against actors' infrastructure"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00153.md |
Ask media not to report false information
Train media to spot and respond to misinformation, and ask them not to post or transmit misinformation they’ve found.
The tag is: misp-galaxy:disarm-countermeasures="Ask media not to report false information"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00154.md |
Ban incident actors from funding sites
Ban misinformation creators and posters from funding sites
The tag is: misp-galaxy:disarm-countermeasures="Ban incident actors from funding sites"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00155.md |
Better tell your country or organisation story
Civil engagement activities conducted on the part of EFP forces. NATO should likewise provide support and training, where needed, to local public affairs and other communication personnel. Local government and military public affairs personnel can play their part in creating and disseminating entertaining and sharable content that supports the EFP mission.
The tag is: misp-galaxy:disarm-countermeasures="Better tell your country or organisation story"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00156.md |
Have a disinformation response plan
e.g. Create a campaign plan and toolkit for competition short of armed conflict (this used to be called “the grey zone”). The campaign plan should account for own vulnerabilities and strengths, and not over-rely on any one tool of statecraft or line of effort. It will identify and employ a broad spectrum of national power to deter, compete, and counter (where necessary) other countries’ approaches, and will include understanding of own capabilities, capabilities of disinformation creators, and international standards of conduct to compete in, shrink the size, and ultimately deter use of competition short of armed conflict.
The tag is: misp-galaxy:disarm-countermeasures="Have a disinformation response plan"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00159.md |
find and train influencers
Identify key influencers (e.g. use network analysis), then reach out to identified users and offer support, through either training or resources.
The tag is: misp-galaxy:disarm-countermeasures="find and train influencers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00160.md |
Coalition Building with stakeholders and Third-Party Inducements
Advance coalitions across borders and sectors, spanning public and private, as well as foreign and domestic, divides. Improve mechanisms to collaborate, share information, and develop coordinated approaches with the private sector at home and allies and partners abroad.
The tag is: misp-galaxy:disarm-countermeasures="Coalition Building with stakeholders and Third-Party Inducements"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00161.md |
Unravel/target the Potemkin villages
Kremlin’s narrative spin extends through constellations of “civil society” organisations, political parties, churches, and other actors. Moscow leverages think tanks, human rights groups, election observers, Eurasianist integration groups, and orthodox groups. A collection of Russian civil society organisations, such as the Federal Agency for the Commonwealth of Independent States Affairs, Compatriots Living Abroad, and International Humanitarian Cooperation, together receive at least US$100 million per year, in addition to government-organized nongovernmental organisations (NGOs), at least 150 of which are funded by Russian presidential grants totaling US$70 million per year.
The tag is: misp-galaxy:disarm-countermeasures="Unravel/target the Potemkin villages"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00162.md |
compatriot policy
protect the interests of this population and, more importantly, influence the population to support pro-Russia causes and effectively influence the politics of its neighbours
The tag is: misp-galaxy:disarm-countermeasures="compatriot policy"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00164.md |
Ensure integrity of official documents
e.g. for leaked legal documents, use court motions to limit future discovery actions
The tag is: misp-galaxy:disarm-countermeasures="Ensure integrity of official documents"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00165.md |
develop a creative content hub
international donors will donate to a basket fund that will pay a committee of local experts who will, in turn, manage and distribute the money to Russian-language producers and broadcasters that pitch various projects.
The tag is: misp-galaxy:disarm-countermeasures="develop a creative content hub"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00169.md |
elevate information as a critical domain of statecraft
Shift from reactive to proactive response, with priority on sharing relevant information with the public and mobilising private-sector engagement. Recent advances in data-driven technologies have elevated information as a source of power to influence the political and economic environment, to foster economic growth, to enable a decision-making advantage over competitors, and to communicate securely and quickly.
The tag is: misp-galaxy:disarm-countermeasures="elevate information as a critical domain of statecraft"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00170.md |
social media source removal
Removing accounts, pages, groups, e.g. facebook page removal
The tag is: misp-galaxy:disarm-countermeasures="social media source removal"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00172.md |
Create a healthier news environment
Free and fair press: create bipartisan, patriotic commitment to press freedom. Note difference between news and editorialising. Build alternative news sources: create alternative local-language news sources to counter local-language propaganda outlets. Delegitimize the 24 hour news cycle. includes Provide an alternative to disinformation content by expanding and improving local content: Develop content that can displace geopolitically-motivated narratives in the entire media environment, both new and old media alike.
The tag is: misp-galaxy:disarm-countermeasures="Create a healthier news environment"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00174.md |
Improve Coordination amongst stakeholders: public and private
Coordinated disinformation challenges are increasingly multidisciplinary, there are few organisations within the national security structures that are equipped with the broad-spectrum capability to effectively counter large-scale conflict short of war tactics in real-time. Institutional hurdles currently impede diverse subject matter experts, hailing from outside of the traditional national security and foreign policy disciplines (e.g., physical science, engineering, media, legal, and economics fields), from contributing to the direct development of national security countermeasures to emerging conflict short of war threat vectors. A Cognitive Security Action Group (CSAG), akin to the Counterterrorism Security Group (CSG), could drive interagency alignment across equivalents of DHS, DoS, DoD, Intelligence Community, and other implementing agencies, in areas including strategic narrative, and the nexus of cyber and information operations.
The tag is: misp-galaxy:disarm-countermeasures="Improve Coordination amongst stakeholders: public and private"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00176.md |
Fill information voids with non-disinformation content
1) Pollute the data voids with wholesome content (Kittens! Babyshark!). 2) fill data voids with relevant information, e.g. increase Russian-language programming in areas subject to Russian disinformation.
The tag is: misp-galaxy:disarm-countermeasures="Fill information voids with non-disinformation content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00178.md |
Redirection / malware detection/ remediation
Detect redirction or malware, then quarantine or delete.
The tag is: misp-galaxy:disarm-countermeasures="Redirection / malware detection/ remediation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00182.md |
Media exposure
highlight misinformation activities and actors in media
The tag is: misp-galaxy:disarm-countermeasures="Media exposure"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00184.md |
Newsroom/Journalist training to counter influence moves
Includes SEO influence. Includes promotion of a “higher standard of journalism”: journalism training “would be helpful, especially for the online community. Includes Strengthen local media: Improve effectiveness of local media outlets.
The tag is: misp-galaxy:disarm-countermeasures="Newsroom/Journalist training to counter influence moves"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00188.md |
Ensure that platforms are taking down flagged accounts
Use ongoing analysis/monitoring of "flagged" profiles. Confirm whether platforms are actively removing flagged accounts, and raise pressure via e.g. government organisations to encourage removal
The tag is: misp-galaxy:disarm-countermeasures="Ensure that platforms are taking down flagged accounts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00189.md |
open engagement with civil society
Government open engagement with civil society as an independent check on government action and messaging. Government seeks to coordinate and synchronise narrative themes with allies and partners while calibrating action in cases where elements in these countries may have been co-opted by competitor nations. Includes “fight in the light”: Use leadership in the arts, entertainment, and media to highlight and build on fundamental tenets of democracy.
The tag is: misp-galaxy:disarm-countermeasures="open engagement with civil society"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00190.md |
Redirect searches away from disinformation or extremist content
Use Google AdWords to identify instances in which people search Google about particular fake-news stories or propaganda themes. Includes Monetize centrist SEO by subsidising the difference in greater clicks towards extremist content.
The tag is: misp-galaxy:disarm-countermeasures="Redirect searches away from disinformation or extremist content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00195.md |
remove suspicious accounts
Standard reporting for false profiles (identity issues). Includes detecting hijacked accounts and reallocating them - if possible, back to original owners.
The tag is: misp-galaxy:disarm-countermeasures="remove suspicious accounts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00197.md |
Respected figure (influencer) disavows misinfo
FIXIT: standardise language used for influencer/ respected figure.
The tag is: misp-galaxy:disarm-countermeasures="Respected figure (influencer) disavows misinfo"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00200.md |
Set data 'honeytraps'
Set honeytraps in content likely to be accessed for disinformation.
The tag is: misp-galaxy:disarm-countermeasures="Set data 'honeytraps'"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00202.md |
Stop offering press credentials to propaganda outlets
Remove access to official press events from known misinformation actors.
The tag is: misp-galaxy:disarm-countermeasures="Stop offering press credentials to propaganda outlets"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00203.md |
strong dialogue between the federal government and private sector to encourage better reporting
Increase civic resilience by partnering with business community to combat grey zone threats and ensuring adequate reporting and enforcement mechanisms.
The tag is: misp-galaxy:disarm-countermeasures="strong dialogue between the federal government and private sector to encourage better reporting"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00205.md |
Run a competing disinformation campaign - not recommended
The tag is: misp-galaxy:disarm-countermeasures="Run a competing disinformation campaign - not recommended"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00207.md |
Use humorous counter-narratives
The tag is: misp-galaxy:disarm-countermeasures="Use humorous counter-narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00211.md |
build public resilience by making civil society more vibrant
Increase public service experience, and support wider civics and history education.
The tag is: misp-galaxy:disarm-countermeasures="build public resilience by making civil society more vibrant"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00212.md |
Use advertiser controls to stem flow of funds to bad actors
Prevent ad revenue going to disinformation domains
The tag is: misp-galaxy:disarm-countermeasures="Use advertiser controls to stem flow of funds to bad actors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00216.md |
Add metadata to content that’s out of the control of disinformation creators
Steganography. Adding date, signatures etc to stop issue of photo relabelling etc.
The tag is: misp-galaxy:disarm-countermeasures="Add metadata to content that’s out of the control of disinformation creators"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00219.md |
Develop a monitoring and intelligence plan
Create a plan for misinformation and disinformation response, before it’s needed. Include connections / contacts needed, expected counteremessages etc.
The tag is: misp-galaxy:disarm-countermeasures="Develop a monitoring and intelligence plan"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00220.md |
Run a disinformation red team, and design mitigation factors
Include PACE plans - Primary, Alternate, Contingency, Emergency
The tag is: misp-galaxy:disarm-countermeasures="Run a disinformation red team, and design mitigation factors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00221.md |
Tabletop simulations
Simulate misinformation and disinformation campaigns, and responses to them, before campaigns happen.
The tag is: misp-galaxy:disarm-countermeasures="Tabletop simulations"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00222.md |
Strengthen Trust in social media platforms
Improve trust in the misinformation responses from social media and other platforms. Examples include creating greater transparancy on their actions and algorithms.
The tag is: misp-galaxy:disarm-countermeasures="Strengthen Trust in social media platforms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/counters/C00223.md |
Detections
DISARM is a framework designed for describing and understanding disinformation incidents..
Detections is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
DISARM Project
Analyse aborted / failed campaigns
Examine failed campaigns. How did they fail? Can we create useful activities that increase these failures?
The tag is: misp-galaxy:disarm-detections="Analyse aborted / failed campaigns"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00001.md |
Analyse viral fizzle
We have no idea what this means. Is it something to do with the way a viral story spreads?
The tag is: misp-galaxy:disarm-detections="Analyse viral fizzle"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00002.md |
Exploit counter-intelligence vs bad actors
The tag is: misp-galaxy:disarm-detections="Exploit counter-intelligence vs bad actors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00003.md |
Recruit like-minded converts "people who used to be in-group"
The tag is: misp-galaxy:disarm-detections="Recruit like-minded converts "people who used to be in-group""
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00004.md |
SWOT Analysis of Cognition in Various Groups
Strengths, Weaknesses, Opportunities, Threats analysis of groups and audience segments.
The tag is: misp-galaxy:disarm-detections="SWOT Analysis of Cognition in Various Groups"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00005.md |
SWOT analysis of tech platforms
The tag is: misp-galaxy:disarm-detections="SWOT analysis of tech platforms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00006.md |
Monitor account level activity in social networks
The tag is: misp-galaxy:disarm-detections="Monitor account level activity in social networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00007.md |
Detect abnormal amplification
The tag is: misp-galaxy:disarm-detections="Detect abnormal amplification"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00008.md |
Detect abnormal events
The tag is: misp-galaxy:disarm-detections="Detect abnormal events"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00009.md |
Detect abnormal groups
The tag is: misp-galaxy:disarm-detections="Detect abnormal groups"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00010.md |
Detect abnormal pages
The tag is: misp-galaxy:disarm-detections="Detect abnormal pages"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00011.md |
Detect abnormal profiles, e.g. prolific pages/ groups/ people
The tag is: misp-galaxy:disarm-detections="Detect abnormal profiles, e.g. prolific pages/ groups/ people"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00012.md |
Identify fake news sites
The tag is: misp-galaxy:disarm-detections="Identify fake news sites"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00013.md |
Trace connections
for e.g. fake news sites
The tag is: misp-galaxy:disarm-detections="Trace connections"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00014.md |
Detect anomalies in membership growth patterns
I include Fake Experts as they may use funding campaigns such as Patreon to fund their operations and so these should be watched.
The tag is: misp-galaxy:disarm-detections="Detect anomalies in membership growth patterns"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00015.md |
Identify fence-sitters
Note: In each case, depending on the platform there may be a way to identify a fence-sitter. For example, online polls may have a neutral option or a "somewhat this-or-that" option, and may reveal who voted for that to all visitors. This information could be of use to data analysts. In TA08-11, the engagement level of victims could be identified to detect and respond to increasing engagement.
The tag is: misp-galaxy:disarm-detections="Identify fence-sitters"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00016.md |
Measure emotional valence
The tag is: misp-galaxy:disarm-detections="Measure emotional valence"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00017.md |
Follow the money
track funding sources
The tag is: misp-galaxy:disarm-detections="Follow the money"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00018.md |
Activity resurgence detection (alarm when dormant accounts become activated)
The tag is: misp-galaxy:disarm-detections="Activity resurgence detection (alarm when dormant accounts become activated)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00019.md |
Detect anomalous activity
The tag is: misp-galaxy:disarm-detections="Detect anomalous activity"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00020.md |
AI/ML automated early detection of campaign planning
The tag is: misp-galaxy:disarm-detections="AI/ML automated early detection of campaign planning"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00021.md |
Digital authority - regulating body (united states)
The tag is: misp-galaxy:disarm-detections="Digital authority - regulating body (united states)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00022.md |
Periodic verification (counter to hijack legitimate account)
The tag is: misp-galaxy:disarm-detections="Periodic verification (counter to hijack legitimate account)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00023.md |
Teach civics to kids/ adults/ seniors
The tag is: misp-galaxy:disarm-detections="Teach civics to kids/ adults/ seniors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00024.md |
Boots-on-the-ground early narrative detection
The tag is: misp-galaxy:disarm-detections="Boots-on-the-ground early narrative detection"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00025.md |
Language anomoly detection
The tag is: misp-galaxy:disarm-detections="Language anomoly detection"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00026.md |
Unlikely correlation of sentiment on same topics
The tag is: misp-galaxy:disarm-detections="Unlikely correlation of sentiment on same topics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00027.md |
Associate a public key signature with government documents
The tag is: misp-galaxy:disarm-detections="Associate a public key signature with government documents"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00028.md |
Detect proto narratives, i.e. RT, Sputnik
The tag is: misp-galaxy:disarm-detections="Detect proto narratives, i.e. RT, Sputnik"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00029.md |
Early detection and warning - reporting of suspect content
The tag is: misp-galaxy:disarm-detections="Early detection and warning - reporting of suspect content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00030.md |
Educate on how to identify information pollution
Strategic planning included as innoculating population has strategic value.
The tag is: misp-galaxy:disarm-detections="Educate on how to identify information pollution"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00031.md |
Educate on how to identify to pollution
DUPLICATE - DELETE
The tag is: misp-galaxy:disarm-detections="Educate on how to identify to pollution"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00032.md |
Fake websites: add transparency on business model
The tag is: misp-galaxy:disarm-detections="Fake websites: add transparency on business model"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00033.md |
Flag the information spaces so people know about active flooding effort
The tag is: misp-galaxy:disarm-detections="Flag the information spaces so people know about active flooding effort"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00034.md |
Identify repeated narrative DNA
The tag is: misp-galaxy:disarm-detections="Identify repeated narrative DNA"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00035.md |
Looking for AB testing in unregulated channels
The tag is: misp-galaxy:disarm-detections="Looking for AB testing in unregulated channels"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00036.md |
News content provenance certification.
Original Comment: Shortcomings: intentional falsehood. Doesn’t solve accuracy. Can’t be mandatory. Technique should be in terms of "strategic innoculation", raising the standards of what people expect in terms of evidence when consuming news.
The tag is: misp-galaxy:disarm-detections="News content provenance certification."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00037.md |
Social capital as attack vector
Unsure I understood the original intention or what it applied to. Therefore the techniques listed (10, 39, 43, 57, 61) are under my interpretation - which is that we want to track ignorant agents who fall into the enemy’s trap and show a cost to financing/reposting/helping the adversary via public shaming or other means.
The tag is: misp-galaxy:disarm-detections="Social capital as attack vector"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00038.md |
standards to track image/ video deep fakes - industry
The tag is: misp-galaxy:disarm-detections="standards to track image/ video deep fakes - industry"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00039.md |
Unalterable metadata signature on origins of image and provenance
The tag is: misp-galaxy:disarm-detections="Unalterable metadata signature on origins of image and provenance"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00040.md |
Bias detection
Not technically left of boom
The tag is: misp-galaxy:disarm-detections="Bias detection"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00041.md |
Categorise polls by intent
Use T00029, but against the creators
The tag is: misp-galaxy:disarm-detections="Categorise polls by intent"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00042.md |
Monitor for creation of fake known personas
Platform companies and some information security companies (e.g. ZeroFox) do this.
The tag is: misp-galaxy:disarm-detections="Monitor for creation of fake known personas"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00043.md |
Forensic analysis
Can be used in all phases for all techniques.
The tag is: misp-galaxy:disarm-detections="Forensic analysis"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00044.md |
Forensic linguistic analysis
Can be used in all phases for all techniques.
The tag is: misp-galaxy:disarm-detections="Forensic linguistic analysis"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00045.md |
Pump priming analytics
The tag is: misp-galaxy:disarm-detections="Pump priming analytics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00046.md |
trace involved parties
The tag is: misp-galaxy:disarm-detections="trace involved parties"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00047.md |
Trace known operations and connection
The tag is: misp-galaxy:disarm-detections="Trace known operations and connection"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00048.md |
trace money
The tag is: misp-galaxy:disarm-detections="trace money"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00049.md |
Web cache analytics
The tag is: misp-galaxy:disarm-detections="Web cache analytics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00050.md |
Challenge expertise
The tag is: misp-galaxy:disarm-detections="Challenge expertise"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00051.md |
Discover sponsors
Discovering the sponsors behind a campaign, narrative, bot, a set of accounts, or a social media comment, or anything else is useful.
The tag is: misp-galaxy:disarm-detections="Discover sponsors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00052.md |
Government rumour control office (what can we learn?)
The tag is: misp-galaxy:disarm-detections="Government rumour control office (what can we learn?)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00053.md |
Restrict people who can @ you on social networks
The tag is: misp-galaxy:disarm-detections="Restrict people who can @ you on social networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00054.md |
Verify credentials
The tag is: misp-galaxy:disarm-detections="Verify credentials"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00055.md |
Verify organisation legitimacy
The tag is: misp-galaxy:disarm-detections="Verify organisation legitimacy"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00056.md |
Verify personal credentials of experts
The tag is: misp-galaxy:disarm-detections="Verify personal credentials of experts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00057.md |
Deplatform (cancel culture)
*Deplatform People: This technique needs to be a bit more specific to distinguish it from "account removal" or DDOS and other techniques that get more specific when applied to content. For example, other ways of deplatforming people include attacking their sources of funds, their allies, their followers, etc.
The tag is: misp-galaxy:disarm-detections="Deplatform (cancel culture)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00058.md |
Identify susceptible demographics
All techniques provide or are susceptible to being countered by, or leveraged for, knowledge about user demographics.
The tag is: misp-galaxy:disarm-detections="Identify susceptible demographics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00059.md |
Identify susceptible influencers
I assume this was a transcript error. Otherwise, "Identify Susceptible Influences" as in the various methods of influences that may work against a victim could also be a technique. Nope, wasn’t a transcript error: original note says influencers, as in find people of influence that might be targetted.
The tag is: misp-galaxy:disarm-detections="Identify susceptible influencers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00060.md |
Microtargeting
The tag is: misp-galaxy:disarm-detections="Microtargeting"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00061.md |
Detect when Dormant account turns active
The tag is: misp-galaxy:disarm-detections="Detect when Dormant account turns active"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00062.md |
Linguistic change analysis
The tag is: misp-galaxy:disarm-detections="Linguistic change analysis"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00063.md |
Monitor reports of account takeover
The tag is: misp-galaxy:disarm-detections="Monitor reports of account takeover"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00064.md |
Sentiment change analysis
The tag is: misp-galaxy:disarm-detections="Sentiment change analysis"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00065.md |
Use language errors, time to respond to account bans and lawsuits, to indicate capabilities
The tag is: misp-galaxy:disarm-detections="Use language errors, time to respond to account bans and lawsuits, to indicate capabilities"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00066.md |
Data forensics
The tag is: misp-galaxy:disarm-detections="Data forensics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00067.md |
Resonance analysis
a developing methodology for identifying statistical differences in how social groups use language and quantifying how common those statistical differences are within a larger population. In essence, it hypothesises how much affinity might exist for a specific group within a general population, based on the language its members employ
The tag is: misp-galaxy:disarm-detections="Resonance analysis"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00068.md |
Track Russian media and develop analytic methods.
To effectively counter Russian propaganda, it will be critical to track Russian influence efforts. The information requirements are varied and include the following: • Identify fake-news stories and their sources. • Understand narrative themes and content that pervade various Russian media sources. • Understand the broader Russian strategy that underlies tactical propaganda messaging.
The tag is: misp-galaxy:disarm-detections="Track Russian media and develop analytic methods."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00069.md |
Full spectrum analytics
The tag is: misp-galaxy:disarm-detections="Full spectrum analytics"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00070.md |
Network analysis Identify/cultivate/support influencers
Local influencers detected via Twitter networks are likely local influencers in other online and off-line channels as well. In addition, the content and themes gleaned from Russia and Russia-supporting populations, as well as anti-Russia activists, likely swirl in other online and off-line mediums as well.
The tag is: misp-galaxy:disarm-detections="Network analysis Identify/cultivate/support influencers"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00071.md |
network analysis to identify central users in the pro-Russia activist community.
It is possible that some of these are bots or trolls and could be flagged for suspension for violating Twitter’s terms of service.
The tag is: misp-galaxy:disarm-detections="network analysis to identify central users in the pro-Russia activist community."
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00072.md |
collect intel/recon on black/covert content creators/manipulators
Players at the level of covert attribution, referred to as “black” in the grayscale of deniability, produce content on user-generated media, such as YouTube, but also add fear-mongering commentary to and amplify content produced by others and supply exploitable content to data dump websites. These activities are conducted by a network of trolls, bots, honeypots, and hackers.
The tag is: misp-galaxy:disarm-detections="collect intel/recon on black/covert content creators/manipulators"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00073.md |
identify relevant fence-sitter communities
brand ambassador programmes could be used with influencers across a variety of social media channels. It could also target other prominent experts, such as academics, business leaders, and other potentially prominent people. Authorities must ultimately take care in implementing such a programme given the risk that contact with U.S. or NATO authorities might damage influencer reputations. Engagements must consequently be made with care, and, if possible, government interlocutors should work through local NGOs.
The tag is: misp-galaxy:disarm-detections="identify relevant fence-sitter communities"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00074.md |
leverage open-source information
significant amounts of quality open-source information are now available and should be leveraged to build products and analysis prior to problem prioritisation in the areas of observation, attribution, and intent. Successfully distinguishing the grey zone campaign signal through the global noise requires action through the entirety of the national security community. Policy, process, and tools must all adapt and evolve to detect, discern, and act upon a new type of signal
The tag is: misp-galaxy:disarm-detections="leverage open-source information"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00075.md |
Monitor/collect audience engagement data connected to “useful idiots”
Target audience connected to "useful idiots rather than the specific profiles because - The active presence of such sources complicates targeting of Russian propaganda, given that it is often difficult to discriminate between authentic views and opinions on the internet and those disseminated by the Russian state.
The tag is: misp-galaxy:disarm-detections="Monitor/collect audience engagement data connected to “useful idiots”"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00076.md |
Model for bot account behaviour
Bot account: action based, people. Unsure which DISARM techniques.
The tag is: misp-galaxy:disarm-detections="Model for bot account behaviour"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00077.md |
Network anomaly detection
The tag is: misp-galaxy:disarm-detections="Network anomaly detection"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00079.md |
Hack the polls/ content yourself
Two wrongs don’t make a right? But if you hack your own polls, you do learn how it could be done, and learn what to look for
The tag is: misp-galaxy:disarm-detections="Hack the polls/ content yourself"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00080.md |
Need way for end user to report operations
The tag is: misp-galaxy:disarm-detections="Need way for end user to report operations"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00081.md |
Control the US "slang" translation boards
The tag is: misp-galaxy:disarm-detections="Control the US "slang" translation boards"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00082.md |
Build and own meme generator, then track and watermark contents
The tag is: misp-galaxy:disarm-detections="Build and own meme generator, then track and watermark contents"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00083.md |
Track individual bad actors
The tag is: misp-galaxy:disarm-detections="Track individual bad actors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00084.md |
detection of a weak signal through global noise
Grey zone threats are challenging given that warning requires detection of a weak signal through global noise and across threat vectors and regional boundaries.Three interconnected grey zone elements characterise the nature of the activity: Temporality: The nature of grey zone threats truly requires a “big picture view” over long timescales and across regions and functional topics. Attribution: requiring an “almost certain” or “nearly certain analytic assessment before acting costs time and analytic effort Intent: judgement of adversarial intent to conduct grey zone activity. Indeed, the purpose of countering grey zone threats is to deter adversaries from fulfilling their intent to act. While attribution is one piece of the puzzle, closing the space around intent often means synthesising multiple relevant indicators and warnings, including the state’s geopolitical ambitions, military ties, trade and investment, level of corruption, and media landscape, among others.
The tag is: misp-galaxy:disarm-detections="detection of a weak signal through global noise"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00085.md |
Outpace Competitor Intelligence Capabilities
Develop an intelligence-based understanding of foreign actors’ motivations, psychologies, and societal and geopolitical contexts. Leverage artificial intelligence to identify patterns and infer competitors’ intent
The tag is: misp-galaxy:disarm-detections="Outpace Competitor Intelligence Capabilities"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00086.md |
Improve Indications and Warning
United States has not adequately adapted its information indicators and thresholds for warning policymakers to account for grey zone tactics. Competitors have undertaken a marked shift to slow-burn, deceptive, non-military, and indirect challenges to U.S. interests. Relative to traditional security indicators and warnings, these are more numerous and harder to detect and make it difficult for analysts to infer intent.
The tag is: misp-galaxy:disarm-detections="Improve Indications and Warning"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00087.md |
Revitalise an “active measures working group,”
Recognise campaigns from weak signals, including rivals’ intent, capability, impact, interactive effects, and impact on U.S. interests… focus on adversarial covert action aspects of campaigning.
The tag is: misp-galaxy:disarm-detections="Revitalise an “active measures working group,”"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00088.md |
target/name/flag "grey zone" website content
"Grey zone" is second level of content producers and circulators, composed of outlets with uncertain attribution. This category covers conspiracy websites, far-right or far-left websites, news aggregators, and data dump websites
The tag is: misp-galaxy:disarm-detections="target/name/flag "grey zone" website content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00089.md |
Match Punitive Tools with Third-Party Inducements
Bring private sector and civil society into accord on U.S. interests
The tag is: misp-galaxy:disarm-detections="Match Punitive Tools with Third-Party Inducements"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00090.md |
Partner to develop analytic methods & tools
This might include working with relevant technology firms to ensure that contracted analytic support is available. Contracted support is reportedly valuable because technology to monitor social media data is continually evolving, and such firms can provide the expertise to help identify and analyse trends, and they can more effectively stay abreast of the changing systems and develop new models as they are required
The tag is: misp-galaxy:disarm-detections="Partner to develop analytic methods & tools"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00091.md |
daylight
Warn social media companies about an ongoing campaign (e.g. antivax sites). Anyone with datasets or data summaries can help with this
The tag is: misp-galaxy:disarm-detections="daylight"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00092.md |
S4d detection and re-allocation approaches
S4D is a way to separate out different speakers in text, audio.
The tag is: misp-galaxy:disarm-detections="S4d detection and re-allocation approaches"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00093.md |
Registries alert when large batches of newsy URLs get registered together
The tag is: misp-galaxy:disarm-detections="Registries alert when large batches of newsy URLs get registered together"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00094.md |
Fact checking
Process suspicious artefacts, narratives, and incidents
The tag is: misp-galaxy:disarm-detections="Fact checking"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/detections/F00095.md |
Techniques
DISARM is a framework designed for describing and understanding disinformation incidents..
Techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
DISARM Project
Facilitate State Propaganda
Organise citizens around pro-state messaging. Coordinate paid or volunteer groups to push state propaganda.
The tag is: misp-galaxy:disarm-techniques="Facilitate State Propaganda"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0002.md |
Leverage Existing Narratives
Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices.
The tag is: misp-galaxy:disarm-techniques="Leverage Existing Narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0003.md |
Develop Competing Narratives
Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centred on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on. These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach.
The tag is: misp-galaxy:disarm-techniques="Develop Competing Narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0004.md |
Create Inauthentic Social Media Pages and Groups
Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets. Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are.
The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Social Media Pages and Groups"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0007.md |
Create Fake Experts
Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself.
The tag is: misp-galaxy:disarm-techniques="Create Fake Experts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0009.md |
Utilise Academic/Pseudoscientific Justifications
Utilise Academic/Pseudoscientific Justifications
The tag is: misp-galaxy:disarm-techniques="Utilise Academic/Pseudoscientific Justifications"
Links |
Cultivate Ignorant Agents
Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents".
The tag is: misp-galaxy:disarm-techniques="Cultivate Ignorant Agents"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0010.md |
Create Inauthentic Websites
Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations.
The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Websites"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0013.md |
Prepare Fundraising Campaigns
Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities.
The tag is: misp-galaxy:disarm-techniques="Prepare Fundraising Campaigns"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.md |
Raise Funds from Malign Actors
Raising funds from malign actors may include contributions from foreign agents, cutouts or proxies, shell companies, dark money groups, etc.
The tag is: misp-galaxy:disarm-techniques="Raise Funds from Malign Actors"
Links |
Raise Funds from Ignorant Agents
Raising funds from ignorant agents may include scams, donations intended for one stated purpose but then used for another, etc.
The tag is: misp-galaxy:disarm-techniques="Raise Funds from Ignorant Agents"
Links |
Create Hashtags and Search Artefacts
Create one or more hashtags and/or hashtag groups. Many incident-based campaigns will create hashtags to promote their fabricated event. Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name!, and 2. Publicise the story more widely through trending lists and search behaviour. Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites).
The tag is: misp-galaxy:disarm-techniques="Create Hashtags and Search Artefacts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0015.md |
Create Clickbait
Create attention grabbing headlines (outrage, doubt, humour) required to drive traffic & engagement. This is a key asset.
The tag is: misp-galaxy:disarm-techniques="Create Clickbait"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0016.md |
Conduct Fundraising
Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services166 on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns to promote operation messaging while raising money to support its activities.
The tag is: misp-galaxy:disarm-techniques="Conduct Fundraising"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0017.md |
Conduct Crowdfunding Campaigns
An influence operation may Conduct Crowdfunding Campaigns on platforms such as GoFundMe, GiveSendGo, Tipeee, Patreon, etc.
The tag is: misp-galaxy:disarm-techniques="Conduct Crowdfunding Campaigns"
Links |
Purchase Targeted Advertisements
Create or fund advertisements targeted at specific populations
The tag is: misp-galaxy:disarm-techniques="Purchase Targeted Advertisements"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0018.md |
Trial Content
Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates
The tag is: misp-galaxy:disarm-techniques="Trial Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0020.md |
Leverage Conspiracy Theory Narratives
"Conspiracy narratives" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalised or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the "firehose of falsehoods" model.
The tag is: misp-galaxy:disarm-techniques="Leverage Conspiracy Theory Narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0022.md |
Amplify Existing Conspiracy Theory Narratives
An influence operation may amplify an existing conspiracy theory narrative that aligns with its incident or campaign goals. By amplifying existing conspiracy theory narratives, operators can leverage the power of the existing communities that support and propagate those theories without needing to expend resources creating new narratives or building momentum and buy in around new narratives.
The tag is: misp-galaxy:disarm-techniques="Amplify Existing Conspiracy Theory Narratives"
Links |
Develop Original Conspiracy Theory Narratives
While this requires more resources than amplifying existing conspiracy theory narratives, an influence operation may develop original conspiracy theory narratives in order to achieve greater control and alignment over the narrative and their campaign goals. Prominent examples include the USSR’s Operation INFEKTION disinformation campaign run by the KGB in the 1980s to plant the idea that the United States had invented HIV/AIDS as part of a biological weapons research project at Fort Detrick, Maryland. More recently, Fort Detrick featured prominently in a new conspiracy theory narratives around the origins of the COVID-19 outbreak and pandemic.
The tag is: misp-galaxy:disarm-techniques="Develop Original Conspiracy Theory Narratives"
Links |
Distort Facts
Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content
The tag is: misp-galaxy:disarm-techniques="Distort Facts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0023.md |
Reframe Context
Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions.
The tag is: misp-galaxy:disarm-techniques="Reframe Context"
Links |
Edit Open-Source Content
An influence operation may edit open-source content, such as collaborative blogs or encyclopaedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets.
The tag is: misp-galaxy:disarm-techniques="Edit Open-Source Content"
Links |
Online Polls
Create fake online polls, or manipulate existing online polls. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well
The tag is: misp-galaxy:disarm-techniques="Online Polls"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0029.md |
Bait Influencer
Influencers are people on social media platforms who have large audiences.
Threat Actors can try to trick Influencers such as celebrities, journalists, or local leaders who aren’t associated with their campaign into amplifying campaign content. This gives them access to the Influencer’s audience without having to go through the effort of building it themselves, and it helps legitimise their message by associating it with the Influencer, benefitting from their audience’s trust in them.
The tag is: misp-galaxy:disarm-techniques="Bait Influencer"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0039.md |
Demand Insurmountable Proof
Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the "firehose of misinformation". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of "questions" while the truth teller is burdened with higher and higher standards of proof.
The tag is: misp-galaxy:disarm-techniques="Demand Insurmountable Proof"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0040.md |
Seed Kernel of Truth
Wrap lies or altered context/facts around truths. Influence campaigns pursue a variety of objectives with respect to target audiences, prominent among them: 1. undermine a narrative commonly referenced in the target audience; or 2. promote a narrative less common in the target audience, but preferred by the attacker. In both cases, the attacker is presented with a heavy lift. They must change the relative importance of various narratives in the interpretation of events, despite contrary tendencies. When messaging makes use of factual reporting to promote these adjustments in the narrative space, they are less likely to be dismissed out of hand; when messaging can juxtapose a (factual) truth about current affairs with the (abstract) truth explicated in these narratives, propagandists can undermine or promote them selectively. Context matters.
The tag is: misp-galaxy:disarm-techniques="Seed Kernel of Truth"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0042.md |
Chat Apps
Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety.
The tag is: misp-galaxy:disarm-techniques="Chat Apps"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0043.md |
Use Encrypted Chat Apps
Examples include Signal, WhatsApp, Discord, Wire, etc.
The tag is: misp-galaxy:disarm-techniques="Use Encrypted Chat Apps"
Links |
Use Unencrypted Chats Apps
Examples include SMS, etc.
The tag is: misp-galaxy:disarm-techniques="Use Unencrypted Chats Apps"
Links |
Seed Distortions
Try a wide variety of messages in the early hours surrounding an incident or event, to give a misleading account or impression.
The tag is: misp-galaxy:disarm-techniques="Seed Distortions"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0044.md |
Use Fake Experts
Use the fake experts that were set up during Establish Legitimacy. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias
The tag is: misp-galaxy:disarm-techniques="Use Fake Experts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0045.md |
Use Search Engine Optimisation
Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO"
The tag is: misp-galaxy:disarm-techniques="Use Search Engine Optimisation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0046.md |
Censor Social Media as a Political Force
Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports).
The tag is: misp-galaxy:disarm-techniques="Censor Social Media as a Political Force"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0047.md |
Harass
Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content.
The tag is: misp-galaxy:disarm-techniques="Harass"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0048.md |
Boycott/"Cancel" Opponents
Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organisation, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasising an adversary’s problematic or disputed behaviour and presenting its own content as an alternative.
The tag is: misp-galaxy:disarm-techniques="Boycott/"Cancel" Opponents"
Links |
Harass People Based on Identities
Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.
The tag is: misp-galaxy:disarm-techniques="Harass People Based on Identities"
Links |
Threaten to Dox
Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.
The tag is: misp-galaxy:disarm-techniques="Threaten to Dox"
Links |
Dox
Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content.
The tag is: misp-galaxy:disarm-techniques="Dox"
Links |
Flood Information Space
Flooding sources of information (e.g. Social Media feeds) with a high volume of inauthentic content.
This can be done to control/shape online conversations, drown out opposing points of view, or make it harder to find legitimate information.
Bots and/or patriotic trolls are effective tools to achieve this effect.
This Technique previously used the name Flooding the Information Space.
The tag is: misp-galaxy:disarm-techniques="Flood Information Space"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.md |
Trolls Amplify and Manipulate
Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it’s easier to amplify existing content than create new/original content. Trolls operate where ever there’s a socially divisive issue (issues that can/are be politicized).
The tag is: misp-galaxy:disarm-techniques="Trolls Amplify and Manipulate"
Links |
Flood Existing Hashtag
Hashtags can be used by communities to collate information they post about particular topics (such as their interests, or current events) and users can find communities to join by exploring hashtags they’re interested in.
Threat actors can flood an existing hashtag to try to ruin hashtag functionality, posting content unrelated to the hashtag alongside it, making it a less reliable source of relevant information. They may also try to flood existing hashtags with campaign content, with the intent of maximising exposure to users.
This Technique covers cases where threat actors flood existing hashtags with campaign content.
This Technique covers behaviours previously documented by T0019.002: Hijack Hashtags, which has since been deprecated. This Technique was previously called Hijack Existing Hashtag.
The tag is: misp-galaxy:disarm-techniques="Flood Existing Hashtag"
Links |
Bots Amplify via Automated Forwarding and Reposting
Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it’s more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.
The tag is: misp-galaxy:disarm-techniques="Bots Amplify via Automated Forwarding and Reposting"
Links |
Utilise Spamoflauge
Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, "you’ve w0n our jackp0t!". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging.
The tag is: misp-galaxy:disarm-techniques="Utilise Spamoflauge"
Links |
Conduct Swarming
Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centres exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach.
The tag is: misp-galaxy:disarm-techniques="Conduct Swarming"
Links |
Conduct Keyword Squatting
Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term.
The tag is: misp-galaxy:disarm-techniques="Conduct Keyword Squatting"
Links |
Inauthentic Sites Amplify News and Narratives
Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.
The tag is: misp-galaxy:disarm-techniques="Inauthentic Sites Amplify News and Narratives"
Links |
Generate Information Pollution
Information Pollution occurs when threat actors attempt to ruin a source of information by flooding it with lots of inauthentic or unreliable content, intending to make it harder for legitimate users to find the information they’re looking for.
This subtechnique’s objective is to reduce exposure to target information, rather than promoting exposure to campaign content, for which the parent technique T0049 can be used.
Analysts will need to infer what the motive for flooding an information space was when deciding whether to use T0049 or T0049.008 to tag a case when an information space is flooded. If such inference is not possible, default to T0049.
This Technique previously used the ID T0019.
The tag is: misp-galaxy:disarm-techniques="Generate Information Pollution"
Links |
Organise Events
Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.
The tag is: misp-galaxy:disarm-techniques="Organise Events"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0057.md |
Pay for Physical Action
Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest.
The tag is: misp-galaxy:disarm-techniques="Pay for Physical Action"
Links |
Conduct Symbolic Action
Symbolic action refers to activities specifically intended to advance an operation’s narrative by signalling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space.
The tag is: misp-galaxy:disarm-techniques="Conduct Symbolic Action"
Links |
Play the Long Game
Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative.
The tag is: misp-galaxy:disarm-techniques="Play the Long Game"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0059.md |
Continue to Amplify
continue narrative or message amplification after the main incident work has finished
The tag is: misp-galaxy:disarm-techniques="Continue to Amplify"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0060.md |
Sell Merchandise
Sell mechandise refers to getting the message or narrative into physical space in the offline world while making money
The tag is: misp-galaxy:disarm-techniques="Sell Merchandise"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0061.md |
Prepare Physical Broadcast Capabilities
Create or coopt broadcast capabilities (e.g. TV, radio etc).
The tag is: misp-galaxy:disarm-techniques="Prepare Physical Broadcast Capabilities"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0065.md |
Degrade Adversary
Plan to degrade an adversary’s image or ability to act. This could include preparation and use of harmful information about the adversary’s actions or reputation.
The tag is: misp-galaxy:disarm-techniques="Degrade Adversary"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0066.md |
Respond to Breaking News Event or Active Crisis
Media attention on a story or event is heightened during a breaking news event, where unclear facts and incomplete information increase speculation, rumours, and conspiracy theories, which are all vulnerable to manipulation.
The tag is: misp-galaxy:disarm-techniques="Respond to Breaking News Event or Active Crisis"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0068.md |
Segment Audiences
Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics.
The tag is: misp-galaxy:disarm-techniques="Segment Audiences"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0072.md |
Geographic Segmentation
An influence operation may target populations in a specific geographic location, such as a region, state, or city. An influence operation may use geographic segmentation to Create Localised Content (see: Establish Legitimacy).
The tag is: misp-galaxy:disarm-techniques="Geographic Segmentation"
Links |
Demographic Segmentation
An influence operation may target populations based on demographic segmentation, including age, gender, and income. Demographic segmentation may be useful for influence operations aiming to change state policies that affect a specific population sector. For example, an influence operation attempting to influence Medicare funding in the United States would likely target U.S. voters over 65 years of age.
The tag is: misp-galaxy:disarm-techniques="Demographic Segmentation"
Links |
Economic Segmentation
An influence operation may target populations based on their income bracket, wealth, or other financial or economic division.
The tag is: misp-galaxy:disarm-techniques="Economic Segmentation"
Links |
Psychographic Segmentation
An influence operation may target populations based on psychographic segmentation, which uses audience values and decision-making processes. An operation may individually gather psychographic data with its own surveys or collection tools or externally purchase data from social media companies or online surveys, such as personality quizzes.
The tag is: misp-galaxy:disarm-techniques="Psychographic Segmentation"
Links |
Political Segmentation
An influence operation may target populations based on their political affiliations, especially when aiming to manipulate voting or change policy.
The tag is: misp-galaxy:disarm-techniques="Political Segmentation"
Links |
Determine Target Audiences
Determining the target audiences (segments of the population) who will receive campaign narratives and artefacts intended to achieve the strategic ends.
The tag is: misp-galaxy:disarm-techniques="Determine Target Audiences"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0073.md |
Determine Strategic Ends
These are the long-term end-states the campaign aims to bring about. They typically involve an advantageous position vis-a-vis competitors in terms of power or influence. The strategic goal may be to improve or simply to hold one’s position. Competition occurs in the public sphere in the domains of war, diplomacy, politics, economics, and ideology, and can play out between armed groups, nation-states, political parties, corporations, interest groups, or individuals.
The tag is: misp-galaxy:disarm-techniques="Determine Strategic Ends"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0074.md |
Geopolitical Advantage
Favourable position on the international stage in terms of great power politics or regional rivalry. Geopolitics plays out in the realms of foreign policy, national security, diplomacy, and intelligence. It involves nation-state governments, heads of state, foreign ministers, intergovernmental organisations, and regional security alliances.
The tag is: misp-galaxy:disarm-techniques="Geopolitical Advantage"
Links |
Domestic Political Advantage
Favourable position vis-à-vis national or sub-national political opponents such as political parties, interest groups, politicians, candidates.
The tag is: misp-galaxy:disarm-techniques="Domestic Political Advantage"
Links |
Economic Advantage
Favourable position domestically or internationally in the realms of commerce, trade, finance, industry. Economics involves nation-states, corporations, banks, trade blocs, industry associations, cartels.
The tag is: misp-galaxy:disarm-techniques="Economic Advantage"
Links |
Ideological Advantage
Favourable position domestically or internationally in the market for ideas, beliefs, and world views. Competition plays out among faith systems, political systems, and value systems. It can involve sub-national, national or supra-national movements.
The tag is: misp-galaxy:disarm-techniques="Ideological Advantage"
Links |
Dismiss
Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biassed.
The tag is: misp-galaxy:disarm-techniques="Dismiss"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0075.md |
Discredit Credible Sources
Plan to delegitimize the media landscape and degrade public trust in reporting, by discrediting credible sources. This makes it easier to promote influence operation content.
The tag is: misp-galaxy:disarm-techniques="Discredit Credible Sources"
Links |
Distort
Twist the narrative. Take information, or artefacts like images, and change the framing around them.
The tag is: misp-galaxy:disarm-techniques="Distort"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0076.md |
Distract
Shift attention to a different narrative or actor, for instance by accusing critics of the same activity that they’ve accused you of (e.g. police brutality).
The tag is: misp-galaxy:disarm-techniques="Distract"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0077.md |
Dismay
Threaten the critic or narrator of events. For instance, threaten journalists or news outlets reporting on a story.
The tag is: misp-galaxy:disarm-techniques="Dismay"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0078.md |
Divide
Create conflict between subgroups, to widen divisions in a community
The tag is: misp-galaxy:disarm-techniques="Divide"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0079.md |
Map Target Audience Information Environment
Mapping the target audience information environment analyses the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience. Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.
The tag is: misp-galaxy:disarm-techniques="Map Target Audience Information Environment"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0080.md |
Monitor Social Media Analytics
An influence operation may use social media analytics to determine which factors will increase the operation content’s exposure to its target audience on social media platforms, including views, interactions, and sentiment relating to topics and content types. The social media platform itself or a third-party tool may collect the metrics.
The tag is: misp-galaxy:disarm-techniques="Monitor Social Media Analytics"
Links |
Evaluate Media Surveys
An influence operation may evaluate its own or third-party media surveys to determine what type of content appeals to its target audience. Media surveys may provide insight into an audience’s political views, social class, general interests, or other indicators used to tailor operation messaging to its target audience.
The tag is: misp-galaxy:disarm-techniques="Evaluate Media Surveys"
Links |
Identify Trending Topics/Hashtags
An influence operation may identify trending hashtags on social media platforms for later use in boosting operation content. A hashtag40 refers to a word or phrase preceded by the hash symbol (#) on social media used to identify messages and posts relating to a specific topic. All public posts that use the same hashtag are aggregated onto a centralised page dedicated to the word or phrase and sorted either chronologically or by popularity.
The tag is: misp-galaxy:disarm-techniques="Identify Trending Topics/Hashtags"
Links |
Conduct Web Traffic Analysis
An influence operation may conduct web traffic analysis to determine which search engines, keywords, websites, and advertisements gain the most traction with its target audience.
The tag is: misp-galaxy:disarm-techniques="Conduct Web Traffic Analysis"
Links |
Assess Degree/Type of Media Access
An influence operation may survey a target audience’s Internet availability and degree of media freedom to determine which target audience members will have access to operation content and on which platforms. An operation may face more difficulty targeting an information environment with heavy restrictions and media control than an environment with independent media, freedom of speech and of the press, and individual liberties.
The tag is: misp-galaxy:disarm-techniques="Assess Degree/Type of Media Access"
Links |
Identify Social and Technical Vulnerabilities
Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment. Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives.
The tag is: misp-galaxy:disarm-techniques="Identify Social and Technical Vulnerabilities"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0081.md |
Find Echo Chambers
Find or plan to create areas (social media groups, search term groups, hashtag groups etc) where individuals only engage with people they agree with.
The tag is: misp-galaxy:disarm-techniques="Find Echo Chambers"
Links |
Identify Data Voids
A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.
The tag is: misp-galaxy:disarm-techniques="Identify Data Voids"
Links |
Identify Existing Prejudices
An influence operation may exploit existing racial, religious, demographic, or social prejudices to further polarise its target audience from the rest of the public.
The tag is: misp-galaxy:disarm-techniques="Identify Existing Prejudices"
Links |
Identify Existing Fissures
An influence operation may identify existing fissures to pit target populations against one another or facilitate a “divide-and-conquer" approach to tailor operation narratives along the divides.
The tag is: misp-galaxy:disarm-techniques="Identify Existing Fissures"
Links |
Identify Existing Conspiracy Narratives/Suspicions
An influence operation may assess preexisting conspiracy theories or suspicions in a population to identify existing narratives that support operational objectives.
The tag is: misp-galaxy:disarm-techniques="Identify Existing Conspiracy Narratives/Suspicions"
Links |
Identify Wedge Issues
A wedge issue is a divisive political issue, usually concerning a social phenomenon, that divides individuals along a defined line. An influence operation may exploit wedge issues by intentionally polarising the public along the wedge issue line and encouraging opposition between factions.
The tag is: misp-galaxy:disarm-techniques="Identify Wedge Issues"
Links |
Identify Target Audience Adversaries
An influence operation may identify or create a real or imaginary adversary to centre operation narratives against. A real adversary may include certain politicians or political parties while imaginary adversaries may include falsified “deep state”62 actors that, according to conspiracies, run the state behind public view.
The tag is: misp-galaxy:disarm-techniques="Identify Target Audience Adversaries"
Links |
Identify Media System Vulnerabilities
An influence operation may exploit existing weaknesses in a target’s media system. These weaknesses may include existing biases among media agencies, vulnerability to false news agencies on social media, or existing distrust of traditional media sources. An existing distrust among the public in the media system’s credibility holds high potential for exploitation by an influence operation when establishing alternative news agencies to spread operation content.
The tag is: misp-galaxy:disarm-techniques="Identify Media System Vulnerabilities"
Links |
Develop New Narratives
Actors may develop new narratives to further strategic or tactical goals, especially when existing narratives adequately align with the campaign goals. New narratives provide more control in terms of crafting the message to achieve specific goals. However, new narratives may require more effort to disseminate than adapting or adopting existing narratives.
The tag is: misp-galaxy:disarm-techniques="Develop New Narratives"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0082.md |
Integrate Target Audience Vulnerabilities into Narrative
An influence operation may seek to exploit the preexisting weaknesses, fears, and enemies of the target audience for integration into the operation’s narratives and overall strategy. Integrating existing vulnerabilities into the operational approach conserves resources by exploiting already weak areas of the target information environment instead of forcing the operation to create new vulnerabilities in the environment.
The tag is: misp-galaxy:disarm-techniques="Integrate Target Audience Vulnerabilities into Narrative"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0083.md |
Reuse Existing Content
When an operation recycles content from its own previous operations or plagiarises from external operations. An operation may launder information to conserve resources that would have otherwise been utilised to develop new content.
The tag is: misp-galaxy:disarm-techniques="Reuse Existing Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0084.md |
Use Copypasta
Copypasta refers to a piece of text that has been copied and pasted multiple times across various online platforms. A copypasta’s final form may differ from its original source text as users add, delete, or otherwise edit the content as they repost the text.
The tag is: misp-galaxy:disarm-techniques="Use Copypasta"
Links |
Plagiarise Content
An influence operation may take content from other sources without proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources.
The tag is: misp-galaxy:disarm-techniques="Plagiarise Content"
Links |
Deceptively Labelled or Translated
An influence operation may take authentic content from other sources and add deceptive labels or deceptively translate the content into other langauges.
The tag is: misp-galaxy:disarm-techniques="Deceptively Labelled or Translated"
Links |
Appropriate Content
An influence operation may take content from other sources with proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources. Examples include the appropriation of content from one inauthentic news site to another inauthentic news site or network in ways that align with the originators licencing or terms of service.
The tag is: misp-galaxy:disarm-techniques="Appropriate Content"
Links |
Develop Text-Based Content
Creating and editing false or misleading text-based artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign.
The tag is: misp-galaxy:disarm-techniques="Develop Text-Based Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.md |
Develop AI-Generated Text
AI-generated texts refers to synthetic text composed by computers using text-generating AI technology. Autonomous generation refers to content created by a bot without human input, also known as bot-created content generation. Autonomous generation represents the next step in automation after language generation and may lead to automated journalism. An influence operation may use read fakes or autonomous generation to quickly develop and distribute content to the target audience.
The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Text"
Links |
Develop Inauthentic News Articles
An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives.
The tag is: misp-galaxy:disarm-techniques="Develop Inauthentic News Articles"
Links |
Develop Document
Produce text in the form of a document.
The tag is: misp-galaxy:disarm-techniques="Develop Document"
Links |
Develop Book
Produce text content in the form of a book.
This technique covers both e-books and physical books, however, the former is more easily deployed by threat actors given the lower cost to develop.
The tag is: misp-galaxy:disarm-techniques="Develop Book"
Links |
Develop Opinion Article
Opinion articles (aka “Op-Eds” or “Editorials”) are articles or regular columns flagged as “opinion” posted to news sources, and can be contributed by people outside the organisation.
Flagging articles as opinions allow news organisations to distinguish them from the typical expectations of objective news reporting while distancing the presented opinion from the organisation or its employees.
The use of this technique is not by itself an indication of malicious or inauthentic content; Op-eds are a common format in media. However, threat actors exploit op-eds to, for example, submit opinion articles to local media to promote their narratives.
Examples from the perspective of a news site involve publishing op-eds from perceived prestigious voices to give legitimacy to an inauthentic publication, or supporting causes by hosting op-eds from actors aligned with the organisation’s goals.
The tag is: misp-galaxy:disarm-techniques="Develop Opinion Article"
Links |
Create Fake Research
Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx.
This Technique previously used the ID T0019.001
The tag is: misp-galaxy:disarm-techniques="Create Fake Research"
Links |
Develop Image-Based Content
Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies.
The tag is: misp-galaxy:disarm-techniques="Develop Image-Based Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0086.md |
Develop Memes
Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.
The tag is: misp-galaxy:disarm-techniques="Develop Memes"
Links |
Develop AI-Generated Images (Deepfakes)
Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.
The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Images (Deepfakes)"
Links |
Deceptively Edit Images (Cheap Fakes)
Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.
The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Images (Cheap Fakes)"
Links |
Aggregate Information into Evidence Collages
Image files that aggregate positive evidence (Joan Donovan)
The tag is: misp-galaxy:disarm-techniques="Aggregate Information into Evidence Collages"
Links |
Develop Video-Based Content
Creating and editing false or misleading video artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include staging videos of purportedly real situations, repurposing existing video artefacts, or using AI-generated video creation and editing technologies (including deepfakes).
The tag is: misp-galaxy:disarm-techniques="Develop Video-Based Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0087.md |
Develop AI-Generated Videos (Deepfakes)
Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.
The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Videos (Deepfakes)"
Links |
Deceptively Edit Video (Cheap Fakes)
Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.
The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Video (Cheap Fakes)"
Links |
Develop Audio-Based Content
Creating and editing false or misleading audio artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include creating completely new audio content, repurposing existing audio artefacts (including cheap fakes), or using AI-generated audio creation and editing technologies (including deepfakes).
The tag is: misp-galaxy:disarm-techniques="Develop Audio-Based Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0088.md |
Develop AI-Generated Audio (Deepfakes)
Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.
The tag is: misp-galaxy:disarm-techniques="Develop AI-Generated Audio (Deepfakes)"
Links |
Deceptively Edit Audio (Cheap Fakes)
Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.
The tag is: misp-galaxy:disarm-techniques="Deceptively Edit Audio (Cheap Fakes)"
Links |
Obtain Private Documents
Procuring documents that are not publicly available, by whatever means — whether legal or illegal, highly-resourced or less so. These documents can include authentic non-public documents, authentic non-public documents have been altered, or inauthentic documents intended to appear as if they are authentic non-public documents. All of these types of documents can be "leaked" during later stages in the operation.
The tag is: misp-galaxy:disarm-techniques="Obtain Private Documents"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.md |
Obtain Authentic Documents
Procure authentic documents that are not publicly available, by whatever means — whether legal or illegal, highly-resourced or less so. These documents can be "leaked" during later stages in the operation.
The tag is: misp-galaxy:disarm-techniques="Obtain Authentic Documents"
Links |
Alter Authentic Documents
Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic and can be "leaked" during later stages in the operation.
The tag is: misp-galaxy:disarm-techniques="Alter Authentic Documents"
Links |
Create Inauthentic Accounts
Inauthentic accounts include bot accounts, cyborg accounts, sockpuppet accounts, and anonymous accounts.
The tag is: misp-galaxy:disarm-techniques="Create Inauthentic Accounts"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.md |
Create Anonymous Accounts
Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation.
The tag is: misp-galaxy:disarm-techniques="Create Anonymous Accounts"
Links |
Create Cyborg Accounts
Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behaviour with human interaction.
The tag is: misp-galaxy:disarm-techniques="Create Cyborg Accounts"
Links |
Create Bot Accounts
Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behaviour. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may programme a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources. Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behaviour, complicating their detection.
The tag is: misp-galaxy:disarm-techniques="Create Bot Accounts"
Links |
Create Sockpuppet Accounts
Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimise operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation.
The tag is: misp-galaxy:disarm-techniques="Create Sockpuppet Accounts"
Links |
Recruit Malign Actors
Operators recruit bad actors paying recruiting, or exerting control over individuals includes trolls, partisans, and contractors.
The tag is: misp-galaxy:disarm-techniques="Recruit Malign Actors"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.md |
Recruit Contractors
Operators recruit paid contractor to support the campaign.
The tag is: misp-galaxy:disarm-techniques="Recruit Contractors"
Links |
Recruit Partisans
Operators recruit partisans (ideologically-aligned individuals) to support the campaign.
The tag is: misp-galaxy:disarm-techniques="Recruit Partisans"
Links |
Enlist Troll Accounts
An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate. Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organisation, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalised or less organised and work for a single individual.
The tag is: misp-galaxy:disarm-techniques="Enlist Troll Accounts"
Links |
Build Network
Operators build their own network, creating links between accounts — whether authentic or inauthentic — in order amplify and promote narratives and artefacts, and encourage further growth of ther network, as well as the ongoing sharing and engagement with operational content.
The tag is: misp-galaxy:disarm-techniques="Build Network"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.md |
Create Organisations
Influence operations may establish organisations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.
The tag is: misp-galaxy:disarm-techniques="Create Organisations"
Links |
Use Follow Trains
A follow train is a group of people who follow each other on a social media platform, often as a way for an individual or campaign to grow its social media following. Follow trains may be a violation of platform Terms of Service. They are also known as follow-for-follow groups.
The tag is: misp-galaxy:disarm-techniques="Use Follow Trains"
Links |
Create Community or Sub-Group
When there is not an existing community or sub-group that meets a campaign’s goals, an influence operation may seek to create a community or sub-group.
The tag is: misp-galaxy:disarm-techniques="Create Community or Sub-Group"
Links |
Acquire/Recruit Network
Operators acquire an existing network by paying, recruiting, or exerting control over the leaders of the existing network.
The tag is: misp-galaxy:disarm-techniques="Acquire/Recruit Network"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.md |
Fund Proxies
An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including: - Diversifying operation locations to complicate attribution - Reducing the workload for direct operation assets
The tag is: misp-galaxy:disarm-techniques="Fund Proxies"
Links |
Acquire Botnets
A botnet is a group of bots that can function in coordination with each other.
The tag is: misp-galaxy:disarm-techniques="Acquire Botnets"
Links |
Infiltrate Existing Networks
Operators deceptively insert social assets into existing networks as group members in order to influence the members of the network and the wider information environment that the network impacts.
The tag is: misp-galaxy:disarm-techniques="Infiltrate Existing Networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.md |
Identify Susceptible Targets in Networks
When seeking to infiltrate an existing network, an influence operation may identify individuals and groups that might be susceptible to being co-opted or influenced.
The tag is: misp-galaxy:disarm-techniques="Identify Susceptible Targets in Networks"
Links |
Utilise Butterfly Attacks
Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organisations, and media campaigns.
The tag is: misp-galaxy:disarm-techniques="Utilise Butterfly Attacks"
Links |
Develop Owned Media Assets
An owned media asset refers to an agency or organisation through which an influence operation may create, develop, and host content and narratives. Owned media assets include websites, blogs, social media pages, forums, and other platforms that facilitate the creation and organisation of content.
The tag is: misp-galaxy:disarm-techniques="Develop Owned Media Assets"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0095.md |
Leverage Content Farms
Using the services of large-scale content providers for creating and amplifying campaign artefacts at scale.
The tag is: misp-galaxy:disarm-techniques="Leverage Content Farms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.md |
Create Content Farms
An influence operation may create an organisation for creating and amplifying campaign artefacts at scale.
The tag is: misp-galaxy:disarm-techniques="Create Content Farms"
Links |
Outsource Content Creation to External Organisations
An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organisation that can create content in the target audience’s native language. Employed organisations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media.
The tag is: misp-galaxy:disarm-techniques="Outsource Content Creation to External Organisations"
Links |
Create Personas
Creating fake people, often with accounts across multiple platforms. These personas can be as simple as a name, can contain slightly more background like location, profile pictures, backstory, or can be effectively backstopped with indicators like fake identity documents.
The tag is: misp-galaxy:disarm-techniques="Create Personas"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0097.md |
Produce Evidence for Persona
People may produce evidence which supports the persona they are deploying (T0097) (aka “backstopping” the persona).
This Technique covers situations where evidence is developed or produced as part of an influence operation to increase the perceived legitimacy of a persona used during IO, including creating accounts for the same persona on multiple platforms.
The use of personas (T0097), and providing evidence to improve people’s perception of one’s persona (T0097.001), are not necessarily malicious or inauthentic. However, sometimes people use personas to increase the perceived legitimacy of narratives for malicious purposes.
This Technique was previously called Backstop Personas.
The tag is: misp-galaxy:disarm-techniques="Produce Evidence for Persona"
Links |
Establish Inauthentic News Sites
Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda—for instance, click-based revenue—often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.
The tag is: misp-galaxy:disarm-techniques="Establish Inauthentic News Sites"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0098.md |
Create Inauthentic News Sites
Create Inauthentic News Sites
The tag is: misp-galaxy:disarm-techniques="Create Inauthentic News Sites"
Links |
Leverage Existing Inauthentic News Sites
Leverage Existing Inauthentic News Sites
The tag is: misp-galaxy:disarm-techniques="Leverage Existing Inauthentic News Sites"
Links |
Impersonate Existing Entity
An influence operation may prepare assets impersonating existing entities (both organisations and people) to further conceal its network identity and add a layer of legitimacy to its operation content. Existing entities may include authentic news outlets, public figures, organisations, or state entities.
Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites.
An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account.
This Technique was previously called Prepare Assets Impersonating Legitimate Entities.
The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Entity"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.md |
Spoof/Parody Account/Site
An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities.
The tag is: misp-galaxy:disarm-techniques="Spoof/Parody Account/Site"
Links |
Impersonate Existing Organisation
A situation where a threat actor styles their online assets or content to mimic an existing organisation.
This can be done to take advantage of peoples’ trust in the organisation to increase narrative believability, to smear the organisation, or to make the organisation less trustworthy.
The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Organisation"
Links |
Impersonate Existing Media Outlet
A situation where a threat actor styles their online assets or content to mimic an existing media outlet.
This can be done to take advantage of peoples’ trust in the outlet to increase narrative believability, to smear the outlet, or to make the outlet less trustworthy.
The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Media Outlet"
Links |
Impersonate Existing Official
A situation where a threat actor styles their online assets or content to impersonate an official (including government officials, organisation officials, etc).
The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Official"
Links |
Impersonate Existing Influencer
A situation where a threat actor styles their online assets or content to impersonate an influencer or celebrity, typically to exploit users’ existing faith in the impersonated target.
The tag is: misp-galaxy:disarm-techniques="Impersonate Existing Influencer"
Links |
Co-Opt Trusted Sources
An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites
The tag is: misp-galaxy:disarm-techniques="Co-Opt Trusted Sources"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0100.md |
Co-Opt Trusted Individuals
Co-Opt Trusted Individuals
The tag is: misp-galaxy:disarm-techniques="Co-Opt Trusted Individuals"
Links |
Co-Opt Grassroots Groups
Co-Opt Grassroots Groups
The tag is: misp-galaxy:disarm-techniques="Co-Opt Grassroots Groups"
Links |
Co-Opt Influencers
Co-opt Influencers
The tag is: misp-galaxy:disarm-techniques="Co-Opt Influencers"
Links |
Create Localised Content
Localised content refers to content that appeals to a specific community of individuals, often in defined geographic areas. An operation may create localised content using local language and dialects to resonate with its target audience and blend in with other local news and social media. Localised content may help an operation increase legitimacy, avoid detection, and complicate external attribution.
The tag is: misp-galaxy:disarm-techniques="Create Localised Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0101.md |
Leverage Echo Chambers/Filter Bubbles
An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm’s placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members.
The tag is: misp-galaxy:disarm-techniques="Leverage Echo Chambers/Filter Bubbles"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0102.md |
Use Existing Echo Chambers/Filter Bubbles
Use existing Echo Chambers/Filter Bubbles
The tag is: misp-galaxy:disarm-techniques="Use Existing Echo Chambers/Filter Bubbles"
Links |
Create Echo Chambers/Filter Bubbles
Create Echo Chambers/Filter Bubbles
The tag is: misp-galaxy:disarm-techniques="Create Echo Chambers/Filter Bubbles"
Links |
Exploit Data Voids
A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term.
The tag is: misp-galaxy:disarm-techniques="Exploit Data Voids"
Links |
Livestream
A livestream refers to an online broadcast capability that allows for real-time communication to closed or open networks.
The tag is: misp-galaxy:disarm-techniques="Livestream"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0103.md |
Video Livestream
A video livestream refers to an online video broadcast capability that allows for real-time communication to closed or open networks.
The tag is: misp-galaxy:disarm-techniques="Video Livestream"
Links |
Audio Livestream
An audio livestream refers to an online audio broadcast capability that allows for real-time communication to closed or open networks.
The tag is: misp-galaxy:disarm-techniques="Audio Livestream"
Links |
Social Networks
Social media are interactive digital channels that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks.
The tag is: misp-galaxy:disarm-techniques="Social Networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0104.md |
Mainstream Social Networks
Examples include Facebook, Twitter, LinkedIn, etc.
The tag is: misp-galaxy:disarm-techniques="Mainstream Social Networks"
Links |
Dating App
“Dating App” refers to any platform (or platform feature) in which the ostensive purpose is for users to develop a physical/romantic relationship with other users.
Threat Actors can exploit users’ quest for love to trick them into doing things like revealing sensitive information or giving them money.
Examples include Tinder, Bumble, Grindr, Facebook Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, OkCupid, happn, and Mamba.
The tag is: misp-galaxy:disarm-techniques="Dating App"
Links |
Private/Closed Social Networks
Social networks that are not open to people outside of family, friends, neighbours, or co-workers. Non-work-related examples include Couple, FamilyWall, 23snaps, and Nextdoor. Some of the larger social network platforms enable closed communities: examples are Instagram Close Friends and Twitter (X) Circle. Work-related examples of private social networks include LinkedIn, Facebook Workplace, and enterprise communication platforms such as Slack or Microsoft Teams.
The tag is: misp-galaxy:disarm-techniques="Private/Closed Social Networks"
Links |
Interest-Based Networks
Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.
The tag is: misp-galaxy:disarm-techniques="Interest-Based Networks"
Links |
Use Hashtags
Use a dedicated, existing hashtag for the campaign/incident.
The tag is: misp-galaxy:disarm-techniques="Use Hashtags"
Links |
Create Dedicated Hashtag
Create a campaign/incident specific hashtag.
The tag is: misp-galaxy:disarm-techniques="Create Dedicated Hashtag"
Links |
Media Sharing Networks
Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.
The tag is: misp-galaxy:disarm-techniques="Media Sharing Networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0105.md |
Photo Sharing
Examples include Instagram, Snapchat, Flickr, etc
The tag is: misp-galaxy:disarm-techniques="Photo Sharing"
Links |
Video Sharing
Examples include Youtube, TikTok, ShareChat, Rumble, etc
The tag is: misp-galaxy:disarm-techniques="Video Sharing"
Links |
Audio Sharing
Examples include podcasting apps, Soundcloud, etc.
The tag is: misp-galaxy:disarm-techniques="Audio Sharing"
Links |
Discussion Forums
Platforms for finding, discussing, and sharing information and opinions. Examples include Reddit, Quora, Digg, message boards, interest-based discussion forums, etc.
The tag is: misp-galaxy:disarm-techniques="Discussion Forums"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0106.md |
Anonymous Message Boards
Examples include the Chans
The tag is: misp-galaxy:disarm-techniques="Anonymous Message Boards"
Links |
Bookmarking and Content Curation
Platforms for searching, sharing, and curating content and media. Examples include Pinterest, Flipboard, etc.
The tag is: misp-galaxy:disarm-techniques="Bookmarking and Content Curation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0107.md |
Blogging and Publishing Networks
Examples include WordPress, Blogger, Weebly, Tumblr, Medium, etc.
The tag is: misp-galaxy:disarm-techniques="Blogging and Publishing Networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0108.md |
Consumer Review Networks
Platforms for finding, reviewing, and sharing information about brands, products, services, restaurants, travel destinations, etc. Examples include Yelp, TripAdvisor, etc.
The tag is: misp-galaxy:disarm-techniques="Consumer Review Networks"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0109.md |
Formal Diplomatic Channels
Leveraging formal, traditional, diplomatic channels to communicate with foreign governments (written documents, meetings, summits, diplomatic visits, etc). This type of diplomacy is conducted by diplomats of one nation with diplomats and other officials of another nation or international organisation.
The tag is: misp-galaxy:disarm-techniques="Formal Diplomatic Channels"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0110.md |
Traditional Media
Examples include TV, Newspaper, Radio, etc.
The tag is: misp-galaxy:disarm-techniques="Traditional Media"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0111.md |
Newspaper
Newspaper
The tag is: misp-galaxy:disarm-techniques="Newspaper"
Links |
Delivering content and narratives via email. This can include using list management or high-value individually targeted messaging.
The tag is: misp-galaxy:disarm-techniques="Email"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0112.md |
Employ Commercial Analytic Firms
Commercial analytic firms collect data on target audience activities and evaluate the data to detect trends, such as content receiving high click-rates. An influence operation may employ commercial analytic firms to facilitate external collection on its target audience, complicating attribution efforts and better tailoring the content to audience preferences.
The tag is: misp-galaxy:disarm-techniques="Employ Commercial Analytic Firms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0113.md |
Deliver Ads
Delivering content via any form of paid media or advertising.
The tag is: misp-galaxy:disarm-techniques="Deliver Ads"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0114.md |
Social Media
Social Media
The tag is: misp-galaxy:disarm-techniques="Social Media"
Links |
Post Content
Delivering content by posting via owned media (assets that the operator controls).
The tag is: misp-galaxy:disarm-techniques="Post Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0115.md |
Share Memes
Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.
The tag is: misp-galaxy:disarm-techniques="Share Memes"
Links |
Post Violative Content to Provoke Takedown and Backlash
Post Violative Content to Provoke Takedown and Backlash.
The tag is: misp-galaxy:disarm-techniques="Post Violative Content to Provoke Takedown and Backlash"
Links |
One-Way Direct Posting
Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative.
The tag is: misp-galaxy:disarm-techniques="One-Way Direct Posting"
Links |
Comment or Reply on Content
Delivering content by replying or commenting via owned media (assets that the operator controls).
The tag is: misp-galaxy:disarm-techniques="Comment or Reply on Content"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0116.md |
Post Inauthentic Social Media Comment
Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.
The tag is: misp-galaxy:disarm-techniques="Post Inauthentic Social Media Comment"
Links |
Attract Traditional Media
Deliver content by attracting the attention of traditional media (earned media).
The tag is: misp-galaxy:disarm-techniques="Attract Traditional Media"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0117.md |
Amplify Existing Narrative
An influence operation may amplify existing narratives that align with its narratives to support operation objectives.
The tag is: misp-galaxy:disarm-techniques="Amplify Existing Narrative"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0118.md |
Cross-Posting
Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience.
The tag is: misp-galaxy:disarm-techniques="Cross-Posting"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0119.md |
Post across Groups
An influence operation may post content across groups to spread narratives and content to new communities within the target audiences or to new target audiences.
The tag is: misp-galaxy:disarm-techniques="Post across Groups"
Links |
Post across Platform
An influence operation may post content across platforms to spread narratives and content to new communities within the target audiences or to new target audiences. Posting across platforms can also remove opposition and context, helping the narrative spread with less opposition on the cross-posted platform.
The tag is: misp-galaxy:disarm-techniques="Post across Platform"
Links |
Post across Disciplines
Post Across Disciplines
The tag is: misp-galaxy:disarm-techniques="Post across Disciplines"
Links |
Incentivize Sharing
Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content.
The tag is: misp-galaxy:disarm-techniques="Incentivize Sharing"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0120.md |
Use Affiliate Marketing Programmes
Use Affiliate Marketing Programmes
The tag is: misp-galaxy:disarm-techniques="Use Affiliate Marketing Programmes"
Links |
Use Contests and Prizes
Use Contests and Prizes
The tag is: misp-galaxy:disarm-techniques="Use Contests and Prizes"
Links |
Manipulate Platform Algorithm
Manipulating a platform algorithm refers to conducting activity on a platform in a way that intentionally targets its underlying algorithm. After analysing a platform’s algorithm (see: Select Platforms), an influence operation may use a platform in a way that increases its content exposure, avoids content removal, or otherwise benefits the operation’s strategy. For example, an influence operation may use bots to amplify its posts so that the platform’s algorithm recognises engagement with operation content and further promotes the content on user timelines.
The tag is: misp-galaxy:disarm-techniques="Manipulate Platform Algorithm"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0121.md |
Bypass Content Blocking
Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include: - Altering IP addresses to avoid IP filtering - Using a Virtual Private Network (VPN) to avoid IP filtering - Using a Content Delivery Network (CDN) to avoid IP filtering - Enabling encryption to bypass packet inspection blocking - Manipulating text to avoid filtering by keywords - Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering
The tag is: misp-galaxy:disarm-techniques="Bypass Content Blocking"
Links |
Direct Users to Alternative Platforms
Direct users to alternative platforms refers to encouraging users to move from the platform on which they initially viewed operation content and engage with content on alternate information channels, including separate social media channels and inauthentic websites. An operation may drive users to alternative platforms to diversify its information channels and ensure the target audience knows where to access operation content if the initial platform suspends, flags, or otherwise removes original operation assets and content.
The tag is: misp-galaxy:disarm-techniques="Direct Users to Alternative Platforms"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0122.md |
Control Information Environment through Offensive Cyberspace Operations
Controlling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritise operation messaging or block opposition messaging.
The tag is: misp-galaxy:disarm-techniques="Control Information Environment through Offensive Cyberspace Operations"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0123.md |
Delete Opposing Content
Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.
The tag is: misp-galaxy:disarm-techniques="Delete Opposing Content"
Links |
Block Content
Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes.
The tag is: misp-galaxy:disarm-techniques="Block Content"
Links |
Destroy Information Generation Capabilities
Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives.
The tag is: misp-galaxy:disarm-techniques="Destroy Information Generation Capabilities"
Links |
Conduct Server Redirect
A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side or client-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.
The tag is: misp-galaxy:disarm-techniques="Conduct Server Redirect"
Links |
Suppress Opposition
Operators can suppress the opposition by exploiting platform content moderation tools and processes like reporting non-violative content to platforms for takedown and goading opposition actors into taking actions that result in platform action or target audience disapproval.
The tag is: misp-galaxy:disarm-techniques="Suppress Opposition"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0124.md |
Report Non-Violative Opposing Content
Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space.
The tag is: misp-galaxy:disarm-techniques="Report Non-Violative Opposing Content"
Links |
Goad People into Harmful Action (Stop Hitting Yourself)
Goad people into actions that violate terms of service or will lead to having their content or accounts taken down.
The tag is: misp-galaxy:disarm-techniques="Goad People into Harmful Action (Stop Hitting Yourself)"
Links |
Exploit Platform TOS/Content Moderation
Exploit Platform TOS/Content Moderation
The tag is: misp-galaxy:disarm-techniques="Exploit Platform TOS/Content Moderation"
Links |
Platform Filtering
Platform filtering refers to the decontextualization of information as claims cross platforms (from Joan Donovan https://www.hks.harvard.edu/publications/disinformation-design-use-evidence-collages-and-platform-filtering-media-manipulation)
The tag is: misp-galaxy:disarm-techniques="Platform Filtering"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0125.md |
Encourage Attendance at Events
Operation encourages attendance at existing real world event.
The tag is: misp-galaxy:disarm-techniques="Encourage Attendance at Events"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0126.md |
Call to Action to Attend
Call to action to attend an event
The tag is: misp-galaxy:disarm-techniques="Call to Action to Attend"
Links |
Facilitate Logistics or Support for Attendance
Facilitate logistics or support for travel, food, housing, etc.
The tag is: misp-galaxy:disarm-techniques="Facilitate Logistics or Support for Attendance"
Links |
Physical Violence
Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value.
The tag is: misp-galaxy:disarm-techniques="Physical Violence"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0127.md |
Conduct Physical Violence
An influence operation may directly Conduct Physical Violence to achieve campaign goals.
The tag is: misp-galaxy:disarm-techniques="Conduct Physical Violence"
Links |
Encourage Physical Violence
An influence operation may Encourage others to engage in Physical Violence to achieve campaign goals.
The tag is: misp-galaxy:disarm-techniques="Encourage Physical Violence"
Links |
Conceal Information Assets
Conceal the identity or provenance of campaign information assets such as accounts, channels, pages etc. to avoid takedown and attribution.
The tag is: misp-galaxy:disarm-techniques="Conceal Information Assets"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0128.md |
Use Pseudonyms
An operation may use pseudonyms, or fake names, to mask the identity of operational accounts, channels, pages etc., publish anonymous content, or otherwise use falsified personas to conceal the identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account, channel, or page with the same falsified name.
The tag is: misp-galaxy:disarm-techniques="Use Pseudonyms"
Links |
Conceal Network Identity
Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organisation.
The tag is: misp-galaxy:disarm-techniques="Conceal Network Identity"
Links |
Distance Reputable Individuals from Operation
Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.
The tag is: misp-galaxy:disarm-techniques="Distance Reputable Individuals from Operation"
Links |
Launder Information Assets
Laundering occurs when an influence operation acquires control of previously legitimate information assets such as accounts, channels, pages etc. from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered assets to reach target audience members from within an existing information community and to complicate attribution.
The tag is: misp-galaxy:disarm-techniques="Launder Information Assets"
Links |
Change Names of Information Assets
Changing names or brand names of information assets such as accounts, channels, pages etc. An operation may change the names or brand names of its assets throughout an operation to avoid detection or alter the names of newly acquired or repurposed assets to fit operational narratives.
The tag is: misp-galaxy:disarm-techniques="Change Names of Information Assets"
Links |
Conceal Operational Activity
Conceal the campaign’s operational activity to avoid takedown and attribution.
The tag is: misp-galaxy:disarm-techniques="Conceal Operational Activity"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0129.md |
Generate Content Unrelated to Narrative
An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content.
The tag is: misp-galaxy:disarm-techniques="Generate Content Unrelated to Narrative"
Links |
Break Association with Content
Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation.
The tag is: misp-galaxy:disarm-techniques="Break Association with Content"
Links |
Delete URLs
URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.
The tag is: misp-galaxy:disarm-techniques="Delete URLs"
Links |
Coordinate on Encrypted/Closed Networks
Coordinate on encrypted/ closed networks
The tag is: misp-galaxy:disarm-techniques="Coordinate on Encrypted/Closed Networks"
Links |
Deny Involvement
Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment.
The tag is: misp-galaxy:disarm-techniques="Deny Involvement"
Links |
Delete Accounts/Account Activity
Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artefacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred.
The tag is: misp-galaxy:disarm-techniques="Delete Accounts/Account Activity"
Links |
Redirect URLs
An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation’s appearance of legitimacy, complicate attribution, and avoid detection.
The tag is: misp-galaxy:disarm-techniques="Redirect URLs"
Links |
Remove Post Origins
Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content.
The tag is: misp-galaxy:disarm-techniques="Remove Post Origins"
Links |
Misattribute Activity
Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behaviour.
The tag is: misp-galaxy:disarm-techniques="Misattribute Activity"
Links |
Conceal Infrastructure
Conceal the campaign’s infrastructure to avoid takedown and attribution.
The tag is: misp-galaxy:disarm-techniques="Conceal Infrastructure"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0130.md |
Conceal Sponsorship
Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organisations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language
The tag is: misp-galaxy:disarm-techniques="Conceal Sponsorship"
Links |
Utilise Bulletproof Hosting
Hosting refers to services through which storage and computing resources are provided to an individual or organisation for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilise bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend.
The tag is: misp-galaxy:disarm-techniques="Utilise Bulletproof Hosting"
Links |
Use Shell Organisations
Use Shell Organisations to conceal sponsorship.
The tag is: misp-galaxy:disarm-techniques="Use Shell Organisations"
Links |
Use Cryptocurrency
Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium.
The tag is: misp-galaxy:disarm-techniques="Use Cryptocurrency"
Links |
Obfuscate Payment
Obfuscate Payment
The tag is: misp-galaxy:disarm-techniques="Obfuscate Payment"
Links |
Exploit TOS/Content Moderation
Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions.
The tag is: misp-galaxy:disarm-techniques="Exploit TOS/Content Moderation"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0131.md |
Legacy Web Content
Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it’s hard to remove or unlikely to be removed.
The tag is: misp-galaxy:disarm-techniques="Legacy Web Content"
Links |
Post Borderline Content
Post Borderline Content
The tag is: misp-galaxy:disarm-techniques="Post Borderline Content"
Links |
Measure Performance
A metric used to determine the accomplishment of actions. “Are the actions being executed as planned?”
The tag is: misp-galaxy:disarm-techniques="Measure Performance"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0132.md |
People Focused
Measure the performance individuals in achieving campaign goals
The tag is: misp-galaxy:disarm-techniques="People Focused"
Links |
Content Focused
Measure the performance of campaign content
The tag is: misp-galaxy:disarm-techniques="Content Focused"
Links |
View Focused
View Focused
The tag is: misp-galaxy:disarm-techniques="View Focused"
Links |
Measure Effectiveness
A metric used to measure a current system state. “Are we on track to achieve the intended new system state within the planned timescale?”
The tag is: misp-galaxy:disarm-techniques="Measure Effectiveness"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0133.md |
Behaviour Changes
Monitor and evaluate behaviour changes from misinformation incidents.
The tag is: misp-galaxy:disarm-techniques="Behaviour Changes"
Links |
Content
Measure current system state with respect to the effectiveness of campaign content.
The tag is: misp-galaxy:disarm-techniques="Content"
Links |
Awareness
Measure current system state with respect to the effectiveness of influencing awareness.
The tag is: misp-galaxy:disarm-techniques="Awareness"
Links |
Knowledge
Measure current system state with respect to the effectiveness of influencing knowledge.
The tag is: misp-galaxy:disarm-techniques="Knowledge"
Links |
Action/Attitude
Measure current system state with respect to the effectiveness of influencing action/attitude.
The tag is: misp-galaxy:disarm-techniques="Action/Attitude"
Links |
Measure Effectiveness Indicators (or KPIs)
Ensuring that Key Performance Indicators are identified and tracked, so that the performance and effectiveness of campaigns, and elements of campaigns, can be measured, during and after their execution.
The tag is: misp-galaxy:disarm-techniques="Measure Effectiveness Indicators (or KPIs)"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0134.md |
Message Reach
Monitor and evaluate message reach in misinformation incidents.
The tag is: misp-galaxy:disarm-techniques="Message Reach"
Links |
Social Media Engagement
Monitor and evaluate social media engagement in misinformation incidents.
The tag is: misp-galaxy:disarm-techniques="Social Media Engagement"
Links |
Undermine
Weaken, debilitate, or subvert a target or their actions. An influence operation may be designed to disparage an opponent; sabotage an opponent’s systems or processes; compromise an opponent’s relationships or support system; impair an opponent’s capability; or thwart an opponent’s initiative.
The tag is: misp-galaxy:disarm-techniques="Undermine"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0135.md |
Smear
Denigrate, disparage, or discredit an opponent. This is a common tactical objective in political campaigns with a larger strategic goal. It differs from efforts to harm a target through defamation. If there is no ulterior motive and the sole aim is to cause harm to the target, then choose sub-technique “Defame” of technique “Cause Harm” instead.
The tag is: misp-galaxy:disarm-techniques="Smear"
Links |
Thwart
Prevent the successful outcome of a policy, operation, or initiative. Actors conduct influence operations to stymie or foil proposals, plans, or courses of action which are not in their interest.
The tag is: misp-galaxy:disarm-techniques="Thwart"
Links |
Subvert
Sabotage, destroy, or damage a system, process, or relationship. The classic example is the Soviet strategy of “active measures” involving deniable covert activities such as political influence, the use of front organisations, the orchestration of domestic unrest, and the spread of disinformation.
The tag is: misp-galaxy:disarm-techniques="Subvert"
Links |
Polarise
To cause a target audience to divide into two completely opposing groups. This is a special case of subversion. To divide and conquer is an age-old approach to subverting and overcoming an enemy.
The tag is: misp-galaxy:disarm-techniques="Polarise"
Links |
Cultivate Support
Grow or maintain the base of support for the actor, ally, or action. This includes hard core recruitment, managing alliances, and generating or maintaining sympathy among a wider audience, including reputation management and public relations. Sub-techniques assume support for actor (self) unless otherwise specified.
The tag is: misp-galaxy:disarm-techniques="Cultivate Support"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0136.md |
Defend Reputaton
Preserve a positive perception in the public’s mind following an accusation or adverse event. When accused of a wrongful act, an actor may engage in denial, counter accusations, whataboutism, or conspiracy theories to distract public attention and attempt to maintain a positive image.
The tag is: misp-galaxy:disarm-techniques="Defend Reputaton"
Links |
Justify Action
To convince others to exonerate you of a perceived wrongdoing. When an actor finds it untenable to deny doing something, they may attempt to exonerate themselves with disinformation which claims the action was reasonable. This is a special case of “Defend Reputation”.
The tag is: misp-galaxy:disarm-techniques="Justify Action"
Links |
Energise Supporters
Raise the morale of those who support the organisation or group. Invigorate constituents with zeal for the mission or activity. Terrorist groups, political movements, and cults may indoctrinate their supporters with ideologies that are based on warped versions of religion or cause harm to others.
The tag is: misp-galaxy:disarm-techniques="Energise Supporters"
Links |
Boost Reputation
Elevate the estimation of the actor in the public’s mind. Improve their image or standing. Public relations professionals use persuasive overt communications to achieve this goal; manipulators use covert disinformation.
The tag is: misp-galaxy:disarm-techniques="Boost Reputation"
Links |
Cultvate Support for Initiative
Elevate or fortify the public backing for a policy, operation, or idea. Domestic and foreign actors can use artificial means to fabricate or amplify public support for a proposal or action.
The tag is: misp-galaxy:disarm-techniques="Cultvate Support for Initiative"
Links |
Cultivate Support for Ally
Elevate or fortify the public backing for a partner. Governments may interfere in other countries’ elections by covertly favouring a party or candidate aligned with their interests. They may also mount an influence operation to bolster the reputation of an ally under attack.
The tag is: misp-galaxy:disarm-techniques="Cultivate Support for Ally"
Links |
Recruit Members
Motivate followers to join or subscribe as members of the team. Organisations may mount recruitment drives that use propaganda to entice sympathisers to sign up.
The tag is: misp-galaxy:disarm-techniques="Recruit Members"
Links |
Increase Prestige
Improve personal standing within a community. Gain fame, approbation, or notoriety. Conspiracy theorists, those with special access, and ideologues can gain prominence in a community by propagating disinformation, leaking confidential documents, or spreading hate.
The tag is: misp-galaxy:disarm-techniques="Increase Prestige"
Links |
Make Money
Profit from disinformation, conspiracy theories, or online harm. In some cases, the sole objective is financial gain, in other cases the objective is both financial and political. Making money may also be a way to sustain a political campaign.
The tag is: misp-galaxy:disarm-techniques="Make Money"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0137.md |
Generate Ad Revenue
Earn income from digital advertisements published alongside inauthentic content. Conspiratorial, false, or provocative content drives internet traffic. Content owners earn money from impressions of, or clicks on, or conversions of ads published on their websites, social media profiles, or streaming services, or ads published when their content appears in search engine results. Fraudsters simulate impressions, clicks, and conversions, or they spin up inauthentic sites or social media profiles just to generate ad revenue. Conspiracy theorists and political operators generate ad revenue as a byproduct of their operation or as a means of sustaining their campaign.
The tag is: misp-galaxy:disarm-techniques="Generate Ad Revenue"
Links |
Scam
Defraud a target or trick a target into doing something that benefits the attacker. A typical scam is where a fraudster convinces a target to pay for something without the intention of ever delivering anything in return. Alternatively, the fraudster may promise benefits which never materialise, such as a fake cure. Criminals often exploit a fear or crisis or generate a sense of urgency. They may use deepfakes to impersonate authority figures or individuals in distress.
The tag is: misp-galaxy:disarm-techniques="Scam"
Links |
Raise Funds
Solicit donations for a cause. Popular conspiracy theorists can attract financial contributions from their followers. Fighting back against the establishment is a popular crowdfunding narrative.
The tag is: misp-galaxy:disarm-techniques="Raise Funds"
Links |
Sell Items under False Pretences
Offer products for sale under false pretences. Campaigns may hijack or create causes built on disinformation to sell promotional merchandise. Or charlatans may amplify victims’ unfounded fears to sell them items of questionable utility such as supplements or survival gear.
The tag is: misp-galaxy:disarm-techniques="Sell Items under False Pretences"
Links |
Extort
Coerce money or favours from a target by threatening to expose or corrupt information. Ransomware criminals typically demand money. Intelligence agencies demand national secrets. Sexual predators demand favours. The leverage may be critical, sensitive, or embarrassing information.
The tag is: misp-galaxy:disarm-techniques="Extort"
Links |
Manipulate Stocks
Artificially inflate or deflate the price of stocks or other financial instruments and then trade on these to make profit. The most common securities fraud schemes are called “pump and dump” and “poop and scoop”.
The tag is: misp-galaxy:disarm-techniques="Manipulate Stocks"
Links |
Motivate to Act
Persuade, impel, or provoke the target to behave in a specific manner favourable to the attacker. Some common behaviours are joining, subscribing, voting, buying, demonstrating, fighting, retreating, resigning, boycotting.
The tag is: misp-galaxy:disarm-techniques="Motivate to Act"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0138.md |
Encourage
Inspire, animate, or exhort a target to act. An actor can use propaganda, disinformation, or conspiracy theories to stimulate a target to act in its interest.
The tag is: misp-galaxy:disarm-techniques="Encourage"
Links |
Provoke
Instigate, incite, or arouse a target to act. Social media manipulators exploit moral outrage to propel targets to spread hate, take to the streets to protest, or engage in acts of violence.
The tag is: misp-galaxy:disarm-techniques="Provoke"
Links |
Compel
Force target to take an action or to stop taking an action it has already started. Actors can use the threat of reputational damage alongside military or economic threats to compel a target.
The tag is: misp-galaxy:disarm-techniques="Compel"
Links |
Dissuade from Acting
Discourage, deter, or inhibit the target from actions which would be unfavourable to the attacker. The actor may want the target to refrain from voting, buying, fighting, or supplying.
The tag is: misp-galaxy:disarm-techniques="Dissuade from Acting"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0139.md |
Discourage
To make a target disinclined or reluctant to act. Manipulators use disinformation to cause targets to question the utility, legality, or morality of taking an action.
The tag is: misp-galaxy:disarm-techniques="Discourage"
Links |
Silence
Intimidate or incentivise target into remaining silent or prevent target from speaking out. A threat actor may cow a target into silence as a special case of deterrence. Or they may buy the target’s silence. Or they may repress or restrict the target’s speech.
The tag is: misp-galaxy:disarm-techniques="Silence"
Links |
Deter
Prevent target from taking an action for fear of the consequences. Deterrence occurs in the mind of the target, who fears they will be worse off if they take an action than if they don’t. When making threats, aggressors may bluff, feign irrationality, or engage in brinksmanship.
The tag is: misp-galaxy:disarm-techniques="Deter"
Links |
Cause Harm
Persecute, malign, or inflict pain upon a target. The objective of a campaign may be to cause fear or emotional distress in a target. In some cases, harm is instrumental to achieving a primary objective, as in coercion, repression, or intimidation. In other cases, harm may be inflicted for the satisfaction of the perpetrator, as in revenge or sadistic cruelty.
The tag is: misp-galaxy:disarm-techniques="Cause Harm"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0140.md |
Defame
Attempt to damage the target’s personal reputation by impugning their character. This can range from subtle attempts to misrepresent or insinuate, to obvious attempts to denigrate or disparage, to blatant attempts to malign or vilify. Slander applies to oral expression. Libel applies to written or pictorial material. Defamation is often carried out by online trolls. The sole aim here is to cause harm to the target. If the threat actor uses defamation as a means of undermining the target, then choose sub-technique “Smear” of technique “Undermine” instead.
The tag is: misp-galaxy:disarm-techniques="Defame"
Links |
Intimidate
Coerce, bully, or frighten the target. An influence operation may use intimidation to compel the target to act against their will. Or the goal may be to frighten or even terrify the target into silence or submission. In some cases, the goal is simply to make the victim suffer.
The tag is: misp-galaxy:disarm-techniques="Intimidate"
Links |
Spread Hate
Publish and/or propagate demeaning, derisive, or humiliating content targeting an individual or group of individuals with the intent to cause emotional, psychological, or physical distress. Hate speech can cause harm directly or incite others to harm the target. It often aims to stigmatise the target by singling out immutable characteristics such as colour, race, religion, national or ethnic origin, gender, gender identity, sexual orientation, age, disease, or mental or physical disability. Thus, promoting hatred online may involve racism, antisemitism, Islamophobia, xenophobia, sexism, misogyny, homophobia, transphobia, ageism, ableism, or any combination thereof. Motivations for hate speech range from group preservation to ideological superiority to the unbridled infliction of suffering.
The tag is: misp-galaxy:disarm-techniques="Spread Hate"
Links |
Acquire Compromised Asset
Threat Actors may take over existing assets not owned by them through nefarious means, such as using technical exploits, hacking, purchasing compromised accounts from the dark web, or social engineering.
The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Asset"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.md |
Acquire Compromised Account
Threat Actors can take over existing users’ accounts to distribute campaign content.
The actor may maintain the asset’s previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.
The actor may completely rebrand the account to exploit its existing reach, or relying on the account’s history to avoid more stringent automated content moderation rules applied to new accounts.
See also [Mitre ATT&CK’s T1586 Compromise Accounts](https://attack.mitre.org/techniques/T1586/) for more technical information on how threat actors may achieve this objective.
This Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.
The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Account"
Links |
Acquire Compromised Website
Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites’ personas are maintained to add credence to threat actors’ narratives.
See also [Mitre ATT&CK’s T1584 Compromise Infrastructure](https://attack.mitre.org/techniques/T1584/) for more technical information on how threat actors may achieve this objective.
The tag is: misp-galaxy:disarm-techniques="Acquire Compromised Website"
Links |
Fabricate Grassroots Movement
This technique, sometimes known as "astroturfing", occurs when an influence operation disguises itself as a grassroots movement or organisation that supports operation narratives.
Astroturfing aims to increase the appearance of popular support for an evolving grassroots movement in contrast to "Utilise Butterfly Attacks", which aims to discredit an existing grassroots movement.
This Technique was previously called Astroturfing, and used the ID T0099.001
The tag is: misp-galaxy:disarm-techniques="Fabricate Grassroots Movement"
Links |
https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0142.md |
Election guidelines
Universal Development and Security Guidelines as Applicable to Election Technology..
Election guidelines is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
NIS Cooperation Group
Tampering with registrations
Tampering with registrations
The tag is: misp-galaxy:guidelines="Tampering with registrations"
Links |
DoS or overload of party/campaign registration, causing them to miss the deadline
DoS or overload of party/campaign registration, causing them to miss the deadline
The tag is: misp-galaxy:guidelines="DoS or overload of party/campaign registration, causing them to miss the deadline"
Links |
Fabricated signatures from sponsor
Fabricated signatures from sponsor
The tag is: misp-galaxy:guidelines="Fabricated signatures from sponsor"
Links |
Identity fraud during voter registration
Identity fraud during voter registration
The tag is: misp-galaxy:guidelines="Identity fraud during voter registration"
Links |
Deleting or tampering with voter data
Deleting or tampering with voter data
The tag is: misp-galaxy:guidelines="Deleting or tampering with voter data"
Links |
DoS or overload of voter registration system, suppressing voters
DoS or overload of voter registration system, suppressing voters
The tag is: misp-galaxy:guidelines="DoS or overload of voter registration system, suppressing voters"
Links |
Hacking candidate laptops or email accounts
Hacking candidate laptops or email accounts
The tag is: misp-galaxy:guidelines="Hacking candidate laptops or email accounts"
Links |
Hacking campaign websites (defacement, DoS)
Hacking campaign websites (defacement, DoS)
The tag is: misp-galaxy:guidelines="Hacking campaign websites (defacement, DoS)"
Links |
Misconfiguration of a website
Misconfiguration of a website
The tag is: misp-galaxy:guidelines="Misconfiguration of a website"
Links |
Leak of confidential information
Leak of confidential information
The tag is: misp-galaxy:guidelines="Leak of confidential information"
Links |
Hacking/misconfiguration of government servers, communication networks, or endpoints
Hacking/misconfiguration of government servers, communication networks, or endpoints
The tag is: misp-galaxy:guidelines="Hacking/misconfiguration of government servers, communication networks, or endpoints"
Links |
Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results
Hacking government websites, spreading misinformation on the election process, registered parties/candidates, or results
The tag is: misp-galaxy:guidelines="Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results"
Links |
DoS or overload of government websites
DoS or overload of government websites
The tag is: misp-galaxy:guidelines="DoS or overload of government websites"
Links |
Tampering or DoS of voting and/or vote confidentiality during or after the elections
Tampering or DoS of voting and/or vote confidentiality during or after the elections
The tag is: misp-galaxy:guidelines="Tampering or DoS of voting and/or vote confidentiality during or after the elections"
Links |
Software bug altering results
Software bug altering results
The tag is: misp-galaxy:guidelines="Software bug altering results"
Links |
Tampering with logs/journals
Tampering with logs/journals
The tag is: misp-galaxy:guidelines="Tampering with logs/journals"
Links |
Breach of voters privacy during the casting of votes
Breach of voters privacy during the casting of votes
The tag is: misp-galaxy:guidelines="Breach of voters privacy during the casting of votes"
Links |
Tampering, DoS or overload of the systems used for counting or aggregating results
Tampering, DoS or overload of the systems used for counting or aggregating results
The tag is: misp-galaxy:guidelines="Tampering, DoS or overload of the systems used for counting or aggregating results"
Links |
Tampering or DoS of communication links uesd to transfer (interim) results
Tampering or DoS of communication links uesd to transfer (interim) results
The tag is: misp-galaxy:guidelines="Tampering or DoS of communication links uesd to transfer (interim) results"
Links |
Tampering with supply chain involved in the movement or transfer data
Tampering with supply chain involved in the movement or transfer data
The tag is: misp-galaxy:guidelines="Tampering with supply chain involved in the movement or transfer data"
Links |
Hacking of internal systems used by media or press
Hacking of internal systems used by media or press
The tag is: misp-galaxy:guidelines="Hacking of internal systems used by media or press"
Links |
Tampering, DoS, or overload of media communication links
Tampering, DoS, or overload of media communication links
The tag is: misp-galaxy:guidelines="Tampering, DoS, or overload of media communication links"
Links |
Defacement, DoS or overload of websites or other systems used for publication of the results
Defacement, DoS or overload of websites or other systems used for publication of the results
The tag is: misp-galaxy:guidelines="Defacement, DoS or overload of websites or other systems used for publication of the results"
Links |
Entity
Description of entities that can be involved in events..
Entity is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Various
Exploit-Kit
Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It’s not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
Exploit-Kit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Kafeine - Will Metcalf - KahuSecurity
Astrum
Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It’s notable by its use of Steganography
The tag is: misp-galaxy:exploit-kit="Astrum"
Astrum is also known as:
-
Stegano EK
Links |
Underminer
Underminer EK is an exploit kit that seems to be used privately against users in Asia. Functionalities: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.
The tag is: misp-galaxy:exploit-kit="Underminer"
Underminer is also known as:
-
Underminer EK
Links |
Fallout
Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.
The tag is: misp-galaxy:exploit-kit="Fallout"
Fallout is also known as:
-
Fallout
Fallout has relationships with:
-
dropped: misp-galaxy:ransomware="GandCrab" with estimative-language:likelihood-probability="almost-certain"
Links |
https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html |
Bingo
Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia
The tag is: misp-galaxy:exploit-kit="Bingo"
Terror EK
Terror EK is built on Hunter, Sundown and RIG EK code
The tag is: misp-galaxy:exploit-kit="Terror EK"
Terror EK is also known as:
-
Blaze EK
-
Neptune EK
Links |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit—More-like-Error-Exploit-Kit/ |
DealersChoice
DealersChoice is a Flash Player Exploit platform triggered by RTF.
DealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.
The tag is: misp-galaxy:exploit-kit="DealersChoice"
DealersChoice is also known as:
-
Sednit RTF EK
Links |
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/ |
DNSChanger
DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser
The tag is: misp-galaxy:exploit-kit="DNSChanger"
DNSChanger is also known as:
-
RouterEK
Links |
http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html |
Novidade
Novidade Exploit Kit is an exploit kit targeting Routers via the browser
The tag is: misp-galaxy:exploit-kit="Novidade"
Novidade is also known as:
-
DNSGhost
Links |
Disdain
Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula
The tag is: misp-galaxy:exploit-kit="Disdain"
Links |
http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/ |
Kaixin
Kaixin is an exploit kit mainly seen behind compromised website in Asia
The tag is: misp-galaxy:exploit-kit="Kaixin"
Kaixin is also known as:
-
CK vip
Links |
http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/ |
Magnitude
Magnitude EK
The tag is: misp-galaxy:exploit-kit="Magnitude"
Magnitude is also known as:
-
Popads EK
-
TopExp
-
Magniber
-
Magnitude EK
Links |
http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html |
MWI
Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it’s most often connected to semi-targeted attacks
The tag is: misp-galaxy:exploit-kit="MWI"
Links |
https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html |
ThreadKit
ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017
The tag is: misp-galaxy:exploit-kit="ThreadKit"
Links |
VenomKit
VenomKit is the name given to a kit sold since april 2017 as "Word 1day exploit builder" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the "Cobalt Gang"
The tag is: misp-galaxy:exploit-kit="VenomKit"
VenomKit is also known as:
-
Venom
Links |
Taurus Builder
Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user "badbullzvenom".
The tag is: misp-galaxy:exploit-kit="Taurus Builder"
RIG
RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.
The tag is: misp-galaxy:exploit-kit="RIG"
RIG is also known as:
-
RIG 3
-
RIG-v
-
RIG 4
-
Meadgive
Links |
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html |
Spelevo
Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK
The tag is: misp-galaxy:exploit-kit="Spelevo"
Links |
Sednit EK
Sednit EK is the exploit kit used by APT28
The tag is: misp-galaxy:exploit-kit="Sednit EK"
Sednit EK is also known as:
-
SedKit
Links |
http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/ |
Sundown-P
Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017
The tag is: misp-galaxy:exploit-kit="Sundown-P"
Sundown-P is also known as:
-
Sundown-Pirate
-
CaptainBlack
Links |
Bizarro Sundown
Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features
The tag is: misp-galaxy:exploit-kit="Bizarro Sundown"
Bizarro Sundown is also known as:
-
Sundown-b
Links |
https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/ |
Hunter
Hunter EK is an evolution of 3Ros EK
The tag is: misp-galaxy:exploit-kit="Hunter"
Hunter is also known as:
-
3ROS Exploit Kit
Hunter has relationships with:
-
similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"
Links |
GreenFlash Sundown
GreenFlash Sundown is a variation of Bizarro Sundown without landing
The tag is: misp-galaxy:exploit-kit="GreenFlash Sundown"
GreenFlash Sundown is also known as:
-
Sundown-GF
Links |
Angler
The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC
The tag is: misp-galaxy:exploit-kit="Angler"
Angler is also known as:
-
XXX
-
AEK
-
Axpergle
Archie
Archie EK
The tag is: misp-galaxy:exploit-kit="Archie"
Links |
https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit |
BlackHole
The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch’s arrest (all activity since then is anecdotal and based on an old leak)
The tag is: misp-galaxy:exploit-kit="BlackHole"
BlackHole is also known as:
-
BHEK
BlackHole has relationships with:
-
similar: misp-galaxy:rat="BlackHole" with estimative-language:likelihood-probability="likely"
Links |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/ |
https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/ |
Bleeding Life
Bleeding Life is an exploit kit that became open source with its version 2
The tag is: misp-galaxy:exploit-kit="Bleeding Life"
Bleeding Life is also known as:
-
BL
-
BL2
Links |
http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/ |
http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html |
Cool
The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013
The tag is: misp-galaxy:exploit-kit="Cool"
Cool is also known as:
-
CEK
-
Styxy Cool
Links |
http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html |
http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/ |
Fiesta
Fiesta Exploit Kit
The tag is: misp-galaxy:exploit-kit="Fiesta"
Fiesta is also known as:
-
NeoSploit
-
Fiexp
Links |
http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an |
Empire
The Empire Pack is a variation of RIG operated by a load seller. It’s being fed by many traffic actors
The tag is: misp-galaxy:exploit-kit="Empire"
Empire is also known as:
-
RIG-E
Empire has relationships with:
-
similar: misp-galaxy:tool="Empire" with estimative-language:likelihood-probability="likely"
Links |
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html |
FlashPack
FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version
The tag is: misp-galaxy:exploit-kit="FlashPack"
FlashPack is also known as:
-
FlashEK
-
SafePack
-
CritXPack
-
Vintage Pack
Links |
http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html |
http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html |
Glazunov
Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit
The tag is: misp-galaxy:exploit-kit="Glazunov"
Links |
https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/ |
GrandSoft
GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017
The tag is: misp-galaxy:exploit-kit="GrandSoft"
GrandSoft is also known as:
-
StampEK
-
SofosFO
HanJuan
Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015
The tag is: misp-galaxy:exploit-kit="HanJuan"
Links |
https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/ |
Himan
Himan Exploit Kit
The tag is: misp-galaxy:exploit-kit="Himan"
Himan is also known as:
-
High Load
Links |
Impact
Impact EK
The tag is: misp-galaxy:exploit-kit="Impact"
Links |
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html |
Infinity
Infinity is an evolution of Redkit
The tag is: misp-galaxy:exploit-kit="Infinity"
Infinity is also known as:
-
Redkit v2.0
-
Goon
Links |
http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html |
http://www.kahusecurity.com/2014/the-resurrection-of-redkit/ |
Lightsout
Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex
The tag is: misp-galaxy:exploit-kit="Lightsout"
Nebula
Nebula Exploit Kit has been built on Sundown source and features an internal TDS
The tag is: misp-galaxy:exploit-kit="Nebula"
Links |
http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html |
Neutrino
Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.
The tag is: misp-galaxy:exploit-kit="Neutrino"
Neutrino is also known as:
-
Job314
-
Neutrino Rebooted
-
Neutrino-v
Neutrino has relationships with:
-
similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"
Links |
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html |
http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html |
Niteris
Niteris was used mainly to target Russian.
The tag is: misp-galaxy:exploit-kit="Niteris"
Niteris is also known as:
-
CottonCastle
Links |
http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html |
Nuclear
The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack
The tag is: misp-galaxy:exploit-kit="Nuclear"
Nuclear is also known as:
-
NEK
-
Nuclear Pack
-
Spartan
-
Neclu
Links |
Phoenix
Phoenix Exploit Kit
The tag is: misp-galaxy:exploit-kit="Phoenix"
Phoenix is also known as:
-
PEK
Links |
http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html |
Private Exploit Pack
Private Exploit Pack
The tag is: misp-galaxy:exploit-kit="Private Exploit Pack"
Private Exploit Pack is also known as:
-
PEP
Links |
http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html |
Redkit
Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer’s traffic
The tag is: misp-galaxy:exploit-kit="Redkit"
Sakura
Sakura Exploit Kit appeared in 2012 and was adopted by several big actor
The tag is: misp-galaxy:exploit-kit="Sakura"
Links |
SPL
SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV
The tag is: misp-galaxy:exploit-kit="SPL"
SPL is also known as:
-
SPL_Data
-
SPLNet
-
SPL2
Links |
Sundown
Sundown Exploit Kit is mainly built out of stolen code from other exploit kits
The tag is: misp-galaxy:exploit-kit="Sundown"
Sundown is also known as:
-
Beps
-
Xer
-
Beta
Links |
http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html |
Sweet-Orange
Sweet Orange
The tag is: misp-galaxy:exploit-kit="Sweet-Orange"
Sweet-Orange is also known as:
-
SWO
-
Anogre
Links |
http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html |
Styx
Styx Exploit Kit
The tag is: misp-galaxy:exploit-kit="Styx"
WhiteHole
WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422
The tag is: misp-galaxy:exploit-kit="WhiteHole"
Links |
http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html |
Unknown
Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.
The tag is: misp-galaxy:exploit-kit="Unknown"
Links |
SpelevoEK
The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.
The tag is: misp-galaxy:exploit-kit="SpelevoEK"
Links |
FIRST CSIRT Services Framework
The Computer Security Incident Response Team (CSIRT) Services Framework is a high-level document describing in a structured way a collection of cyber security services and associated functions that Computer Security Incident Response Teams and other teams providing incident management related services may provide.
FIRST CSIRT Services Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
FIRST - CIRCL - Jean-Louis Huynen
Service: Monitoring and detection
Based on logs, NetFlow data, IDS alerts, sensor networks, external sources, or other available information security event data, apply a range of methods from simple logic or pattern matching rules to the application of statistical models or machine learning in order to identify potential information security incidents. This can involve a vast amount of data and typically, but not necessarily, requires specialized tools such as Security Information and Event Management (SIEM) or big data platforms to process. An important objective of continuous improvement is to minimize the amount of false alarms that need to be analyzed as part of the Analyzing service.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Monitoring and detection"
Service: Event analysis
The flow of detected potential information security incidents must be triaged and each one qualified as an information security incident (true positive) or as a false alarm (false positive) using manual and/or automated analysis. This may require manual or automated gathering of additional information, depending on the detection use case. Priority should be given to the analysis of potentially more critical information security incidents to ensure timely reaction to what is most important. Structured qualification of detected potential information security incidents enables effective continuous improvement in a directed way by identifying detection use cases, data sources, or processes with quality issues.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Event analysis"
Service: Information security incident report acceptance
For a CSIRT, the most important task is the acceptance of reports about information security events and potential information security incidents affecting networks, devices, components, users, organizations, or infrastructure—referred to as the “target”—inside the constituency. The CSIRT should anticipate that potential information security incidents may be reported from various sources in various formats, both manually and automatically. To enable constituents to report information security incidents more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report information security incidents. Reporting mechanisms can include email, a website, a dedicated information security incident reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of an information security incidents reporting form itself, should be provided in separate documentation or via a webpage, and should list the specific information that is desirable for inclusion in the report. Due to the potentially large number of automatically escalated potential information security incidents detected via an Information Security Event Management service, this must be planned for in advance of adopting such interfaces or authorizing constituents to use them.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Information security incident report acceptance"
Service: Information security incident analysis
This service consists of functions to gain an understanding of the information security incident and its actual and potential impact to identify the underlying issues or vulnerabilities or weaknesses (root causes) that allowed the successful attack, compromise, or exploit. Detailed analysis is often complex and time-consuming. The objective is to identify and characterize the information security incident in as much detail as required or justified by the current understanding of its impact. Information security incidents can be characterized by scope, affected entities, tools, or attacks deployed, timelines, etc. This service may continue in parallel while the Information Security Incident Coordination service and functions are occurring or mitigation/recovery actions are taken. The CSIRT may use other information and its own analysis (see below for some options) or knowledge available from vendors and product security teams or security researchers to better understand what has happened and what steps to take to remedy losses or damage.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Information security incident analysis"
Service: Artifact and forensic evidence analysis
The services related to the understanding of the capabilities and intent of artefacts (e.g., malware, exploits, volatile memory dumps or disk copies, applications codes, logs, documents), their delivery mechanisms, their propagation, their detection, their mitigation, and their disarming or neutralization. This applies to any formats and sources: hardware, firmware, memory, software, etc. Any artefact or evidence must be preserved and collected without any modification, and kept in isolation. As some artefacts and data may become evidence in the context of law enforcement activities, specific regulations or requirements may apply. Even without preserving a chain-of-custody, this service usually involves complex and time-consuming tasks, and requires expertise, setting up dedicated and monitored analysis environments—with or without external accesses from standard wired or wireless networks (such as performing the forensics activities in a sealed or Faraday room), logging of activities, and compliance with procedures. As part of the handling of information security incidents, digital artefacts may be found on affected systems or malware distribution sites. Artefacts may be the remnants of an intruder attack, such as executables, scripts, files, images, configuration files, tools, tool outputs, logs, live or dormant pieces of code, etc. The analysis is carried out in order to find out some or all of the information listed below, which is not considered to be a complete list: The context required of the artefact to run and to perform its intended tasks, whether malicious or not How the artefacts may have been utilized for the attack: uploaded, downloaded, copied, executed, or created within an organization’s environments or components Which systems have been involved locally and remotely to support the distribution and actions What an intruder did once to access to the system, network, organization, or infrastructure was established: from passively collecting data, to actively scanning and transmitting data for exfiltration purposes, or collecting new action requests, updating itself or making a lateral movement inside a compromised (local) network What a user, user process, or user system did once the user account or user device was compromised What behavior characterizes the artefacts or compromised systems, either in standalone mode, in conjunction with artefacts or components, connected to a local network or the Internet, or in any combination How the artefacts or compromised systems establish connectivity with the target (e.g., intrusion path, initial target, or detection evasion techniques); What communication architecture (peer-to-peer, command-and-control, both) has been utilized What were the actions of the threat actors, what is their network and systems footprint How the intruders or artefacts evaded detection (even over long periods of time which may include reboot or reinitialization) This can be achieved through various types of activities including media or surface analysis reverse engineering runtime or dynamic analysis comparative analysis Each activity provides additional information about the artefacts. Analysis methods include but are not limited to identification of type and characteristics of artefacts, comparison with known artefacts, observation of artefact execution in a runtime or a live environment, and disassembling and interpreting binary artefacts. In carrying out an analysis of the artefacts, an analyst attempts to reconstruct and determine what the intruder did, in order to detect the exploited vulnerability, assess damages, develop solutions to mitigate against the artefacts, and provide information to constituents and other researchers.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Artifact and forensic evidence analysis"
Service: Mitigation and recovery
Once the analysis has confirmed a potential information security incident and a response strategy has been developed, this must be turned over into a response plan. Even before a response plan can be finalized, ad-hoc measures may be taken. This service also includes the initiating and tracking of all activities which are performed until the information security incident can be considered closed or new information becomes available that requires further analysis and henceforth may also change the response strategy and plan.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Mitigation and recovery"
Service: Information security incident coordination
Being notified and kept informed about the details and ongoing activities in relation to an information security incident is critical for all stakeholders and organizations involved. As some activities required for a successful mitigation and recovery might involve management approval, this requires suitable escalation and reporting functions established before any information security incident can be handled effectively and efficiently. As the CSIRT analyzes all information as it becomes available, coordination makes sure that notifications and information reach the right points of contact, track their responses and make sure that all parties carrying out activities report back to provide for accurate situational awareness until the information security incident is considered closed and requiring no further coordination. Stakeholders should have avenues to submit questions, check the status of information security incidents, and report issues to the CSIRT. To engage internal stakeholders, the CSIRT should provide communications channels to advertise the remediation status of information security incidents. To engage external stakeholders, the CSIRT should maintain communications channels to other CSIRTs and CSIRT communities that might provide recommendations or technical support.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Information security incident coordination"
Service: Crisis management support
While today’s information security incidents rarely constitute an organizational or national crisis, they have the potential to do so. But the response to a crisis is usually associated with an emergency that threatens the well-being of humans and society at large, or at least the existence of an organization. As it is established in crisis management, a high-ranking role will take over the responsibility of a crisis, thereby changing the usual line of command for the duration of the emergency. As the systems and networks might contribute to emergencies or are required to be available to respond to a crisis situation, a CSIRT will usually be a critical resource for managing such situations and provide valuable experience but also the established services and networks of points of contacts.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Crisis management support"
Service: Vulnerability discovery / research
Discovery of a new vulnerability is a necessary first step that starts the overall vulnerability management lifecycle. This service includes those functions and activities that a CSIRT may actively perform through its own research or other services to discover a new vulnerability. Functions and activities related to the passive receipt of new vulnerability information from someone else are described later in the Vulnerability Report Intake service. Occasionally a new vulnerability may be discovered by a CSIRT during other activities, such as while analyzing or investigating an incident report. Another means of learning of a new vulnerability is through reading public sources (e.g., websites, mailing lists), other external sources (e.g., premium services, subscriptions), or by actively looking for vulnerabilities through deliberate research (e.g., through fuzz testing, reverse engineering). Such discoveries should be documented and fed into the organization’s vulnerability handling processes, regardless of how the CSIRT discovered or learned of the vulnerability.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability discovery / research"
Service: Vulnerability report intake
One of the primary sources of vulnerability information may be reports or questions sent from a CSIRT’s constituents or other third parties. The CSIRT should anticipate that vulnerabilities may be reported from these various sources, and provide a mechanism, a process, and guidance for vulnerability reporting. Reporting infrastructures may include email or a web-based vulnerability reporting form. Not all vulnerabilities are reported directly to a CSIRT by constituents or third parties through the established channels. Supporting guidance should include reporting guidelines, contact information, and any disclosure policies. To enable constituents to report vulnerabilities more effectively, the CSIRT should provide one or more mechanisms as well as guidance or instructions on what and how to securely report vulnerabilities. Reporting mechanisms can include email, a website, a dedicated vulnerability reporting form or portal, or other appropriate methods to enable reports to be submitted safely and securely. Reporting guidance, if not included as part of a vulnerability reporting form itself, should be provided in separate documentation or via a web page, and should list the specific information that is desirable to be included in the report.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability report intake"
Service: Vulnerability analysis
The Vulnerability Analysis service consists of functions aimed at gaining an understanding of the vulnerability and its potential impact, identifying the underlying issue or flaw (root cause) that allows the vulnerability to be exploited, and identifying one or more remediation or mitigation strategies to prevent or minimize the exploitation of the vulnerability. The Vulnerability Analysis service and functions can continue in parallel while the Vulnerability Coordination service and functions occur with other participants in a coordinated vulnerability disclosure (CVD) process.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability analysis"
Service: Vulnerability coordination
The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including vulnerability finders/reporters, affected vendors, developers, PSRITs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability coordination"
Service: Vulnerability disclosure
Inform the constituents of any known vulnerabilities (potential entry points for attackers), so that their systems can be kept up to date and monitored for exploits. Disclosure methods may include publication of information through multiple communication channels (e.g., website, email, social media), a vulnerability database, or other media. This service often, but not always, occurs following Vulnerability Coordination.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability disclosure"
Service: Vulnerability response
The functions under this service are intended to determine whether a disclosed vulnerability exists on a constituent’s systems, often through the intentional act of looking for the presence of such vulnerabilities. The service can also include the follow-on actions to remediate or mitigate the vulnerability through the deployment of patches or workaround strategies.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Vulnerability response"
Service: Data acquisition
Solicit, collect, determine, and satisfy the constituencies’ information requirements to achieve awareness of important internal and external relevant activities. This service includes the logistics of collecting relevant information including news of current events, scheduling future events, reports and feeds, filtering the collected information, organizing information for use in incident analysis, prevent, detection, or other activities (such as planning or trending), storing it for later use, improving its “searchability”, and more. Collected data will be used to determine the preventative measures needed and to help make informed decisions regarding incident management and information assurance activities. Without a basic perception of important environmental elements, the risk of other services forming an incorrect picture increases. CSIRTs will need to establish policy and procedures, and may employ technology to collect and vet information.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Data acquisition"
Service: Analysis and synthesis
The process of using current data, history, and analysis techniques to determine what is occurring that may impact the constituency assets and security posture, often done by determining an answer to a question or testing an intuition. Analysis may reveal when events do not match typical expected behavior, or may reveal information about the circumstance, nature, or origin of events or behaviors. Analysis may reveal implications to current and future situations. For example: a system may log that a user ID successfully logged into the system, but the system does not indicate whether the event was performed by a legitimate user. New sources (such as interviews with the user) will need to be incorporated into the analysis to provide the team with a more accurate picture to determine the legitimacy of the event. A variety of techniques may be used to analyze and interpret the collected data and its effect upon the constituency.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Analysis and synthesis"
Service: Communication
The knowledge obtained from situational awareness must be communicated to the constituency. This will allow it to react to observations and to take actions that will improve defensive situations, e.g., reducing third-party risk by improving the security environment at certain high-risk suppliers.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Communication"
Service: Awareness building
This service includes working with the constituency, experts, and trusted partners to raise the collective understanding of threats and actions that can be taken to prevent or mitigate the risks posed by these threats.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Awareness building"
Service: Training and education
A training and education program can help the CSIRT to establish relationships and to improve the overall cybersecurity posture of its constituency, including the ability to prevent future incidents from happening. Such a program can help maintain user awareness help the constituency understand the changing landscape and threats facilitate information exchange between the CSIRT and its constituency train the constituency on tools, processes and procedures related to security and incident management. This can be done through various types of activities including documenting the knowledge, skills, and abilities (KSAs) required, developing educational and training materials, delivering content, mentoring, and professional and skill development. Each of these activities will collectively contribute to the constituency’s and the team’s capabilities.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Training and education"
Service: Exercises
Services are offered by the organization to constituents that support the design, execution, and evaluation of cyber exercises intended to train and/or evaluate the capabilities of individual constituents and the stakeholder community as a whole, including communications capabilities. These types of exercises can be used to test policies and procedures: assess whether there are sufficient policies and procedures in place to effectively detect, respond and mitigate incidents. This is, generally, a paper/table-top exercise. test operational readiness: assess whether the organization has an incident management capability that is able to detect, respond to and mitigate incidents in a timely and successful manner, as well as to test whether the right people are in place, directories are up-to-date, and if procedures are executed correctly. This service addresses both the needs of the organization and the needs of its constituents. More specifically, through the simulation of cybersecurity events/incidents, exercises can be used for one or several objectives: Demonstrate: Illustrate cybersecurity services and functions, as well as vulnerabilities, threats, and risks, in order to raise awareness. Train: Instruct staff on new tools, techniques, and procedures:
Exercise: Provide an opportunity for staff to use tools, techniques, and procedures they are expected to be knowledgeable about. Exercising is necessary for perishable skills and helps improve and maintain efficiency. Assess: Analyze and understand the level of effectiveness and efficiency of cybersecurity services and functions, as well as the level of staff preparedness. Verify: Determine whether a specified level of effectiveness and/or efficiency can be achieved for cybersecurity services and functions.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Exercises"
Service: Technical and policy advisory
Support the CSIRT constituency and key stakeholders, internal or external to the constituency, in activities related to risk management and business continuity, providing technical advice as needed and contributing to the creation and implementation of the constituency’s policies, as well as influencing them to enable the CSIRT to be more effective. Policies are also important in legitimizing the services of a CSIRT.
The tag is: misp-galaxy:first-csirt-services-framework="Service: Technical and policy advisory"
Function: Log and sensor management
Sensors and log sources need operational management throughout their lifecycle. They must be deployed, onboarded, and decommissioned. Outages, data quality/scope, and configuration issues must be identified and resolved. Sensors that have some form of configuration such as pattern definitions need their configuration maintained in order to remain effective. Sensors may also include external detection services or Open Source Intelligence (OSINT) sources, if they form the basis for detection use cases.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Log and sensor management"
Function: Detection use case management
New detection approaches are developed, tested, and improved, and eventually onboarded into a detection use case in production. Instructions for analyst triage, qualification, and correlation need to be developed, for example in the form of playbooks and Standard Operating Procedures (SOPs). Use cases that do not perform well, i.e., that have an unfavorable benefit/effort ratio, need to be improved, redefined, or abandoned. The portfolio of detection use cases should be expanded in a risk-oriented way and in coordination with preventive controls.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Detection use case management"
Function: Contextual data management
The various contextual data sources that are involved in detection and enrichment need to be managed throughout their lifecycle. These can be live APIs to or exports from other IT systems such as a Configuration Management Database (CMDB), Identity and Access Management (IAM), or Threat Intel systems, or entirely separate data sets that need to be managed manually. The latter would be the case for indicator lists, watchlists and whitelists to suppress false positives.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Contextual data management"
Function: Correlation
Potential information security incidents pertaining to the same assets (e.g., systems, services, customers) or identities (e.g., users), or which are otherwise directly related to other potential information security incidents are grouped together and escalated as a single information security incident in order to avoid duplicate efforts. New potential information security incidents directly related to ongoing information security incidents are assigned to that information security incident instead of opening a new, separate information security incident.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Correlation"
Function: Qualification
Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Qualification"
Function: Information security incident report receipt
Effective intake of information security incident reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (e.g., finders, researchers, ISACs, other CSIRTs). Information security incident reports may include affected devices/networks/users/organizations, conditions already identified like exploited vulnerabilities, impact both on technical and business level, and actions that have been taken to start remediation and/or mitigation steps and potentially resolution. Occasionally, information security incident information may be received jointly as part of the input to other services, most namely the Vulnerability Report Intake (e.g., if an information security incident is reported that has been identified while analyzing a vulnerability report). Automatically submitted reports might or might not be acknowledged pending further choices of the implemented interfaces and protocols.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident report receipt"
Function: Information security incident triage and processing
Information Security Incident Reports are reviewed and triaged to obtain an initial understanding of the information security incident in question. It is of particular importance whether it has a real information security impact on the target and can result (or has already resulted) in damage to the confidentiality, availability, integrity, and/or authenticity of information assets or other assets. Depending on the amount of detail and quality of the information provided in the initial report, it may or not be obvious whether a real information security incident has occurred or if there is a different reason—such as misconfiguration or hardware failure. The next step will be determined on the basis of the preliminary assessment (e.g., process the report for further analysis; seek additional information from the reporter or other sources; decide that the report needs no further action or is a false alarm). It is possible that attacks may originate from within the constituency of a CSIRT, may target this constituency, or the constituency is affected by collateral effects only. If the CSIRT does not provide Information Security Management services for the identified targets, then the report should be forwarded securely to an external group for handling, such as the affected organization(s) or CSIRT(s). Unless there is a reason to decline an information security incident report or the report has been forwarded to another entity responsible for its handling, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident triage and processing"
Function: Information security incident triage (prioritization and categorization)
The Analyzing Information Security Incidents service begins with a review of the available information to categorize, prioritize, and assess the impact an information security incident has on the involved systems relevant to the CSIRT’s mandate. Some of this may have been documented during the Information Security Incident Report Triage and Processing function (of the Information Security Incident Report Intake service) if the information security incident was reported to the CSIRT by a constituent or third party. If prior triage has not already been completed, the information security incident may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., a potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area the CSIRT according to its mandate).
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident triage (prioritization and categorization)"
Function: Information collection
Enable the collection of all valuable information to obtain the best understanding of the context, so that the origin and the content of the information can be appropriately evaluated and tagged to be used for any further processing. While collecting information, the agreed sharing policies and limitations of what data can be used in which context or for what form of processing must be accepted and adhered to. Also, the collection mechanisms and procedures must ensure that proper labeling and attribution of sources is used in order to later validate the origins as well as the appropriateness or authenticity.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information collection"
Function: Detailed analysis coordination
As more detailed technical analysis may be required, such analysis may be executed by other experts (inside or outside the host organization or CSIRT) or other third parties (such as a service provider specialized in such analysis). This requires initiating and tracking such activities up to the successful delivery of the desired analysis.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Detailed analysis coordination"
Function: Information security incident root cause analysis
This function involves the process and actions required to understand the architecture, usage, or implementation flaw(s) that caused or exposed systems, networks, users, organizations, etc. to the kind of attack or exploit or compromise as exercised against the targets of an information security incident. It is also concerned with the circumstances in which an attacker could compromise more systems based on the initial access to gain further access. Depending on the nature of the information security incident, it may be difficult for a CSIRT to perform this function thoroughly. In many situations, this function may best be conducted by the affected target itself, as especially in the context of Coordinating CSIRTs no detailed technical knowledge is available about systems or networks that have been compromised.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident root cause analysis"
Function: Cross-incident correlation
This function involves the correlation of available information about multiple information security incidents to determine interrelations, trends, or applicable mitigations from already closed information security incidents to improve the response to currently handled information security incidents.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Cross-incident correlation"
Function: Media or surface analysis
This function involves identification and characterization of basic information and metadata about artefacts, including but not limited to file types, string outputs, cryptographic hashes, certificates, file sizes, file/directory names. As all available information is gathered and analyzed further, this may be used to review any public/open or private/closed source information repositories to learn more about the artefact or its behavior, as such information can be used to determine the next steps.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Media or surface analysis"
Function: Reverse engineering
To provide a deeper analysis of malware artefacts to include identifying hidden actions and triggering commands. Reverse engineering allows the analyst to dig past any obfuscation and compilation (for binaries) and identify the program, script, or code that makes up the malware, either by uncovering any source code or by disassembling the binary into assembly language and interpreting it. The analyst uncovers all of the machine language exposed functions and actions the malware can perform. Reverse engineering is a deeper analysis that is carried out when surface and runtime analysis do not provide the full information needed.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Reverse engineering"
Function: Run time or dynamic analysis
This function involves understanding of an artifact’s capabilities via observation while running the sample in a real or emulated environment (e.g., sandbox, virtual environment, and hardware or software emulators). Use of a simulated environment captures changes to the host, network traffic, and output from execution. The basic premise is to try to see artefact in operation in as close to a real-life situation as possible.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Run time or dynamic analysis"
Function: Comparative analysis
This function involves exploring an artefact’s relationship to other artefacts. This may identify similarities in code or modus operandi, targets, intent, and authors. Such similarities can be used to derive the scope of an attack (e.g., is there a larger target, has similar code been used before). Comparative analysis techniques can include exact match comparisons or code similarity comparisons. Comparative analysis provides a broader view of how the artefact or similar versions of it were used and changed over time, helping to understand the evaluation of malware or other malicious types of artefacts.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Comparative analysis"
Function: Response plan establishment
Without fully understanding the business impact and requirements to mitigate and recover, no meaningful response will be provided. As there is a conflict of interest—tracking the attack to gain more intelligence vs. containing the attack to avoid further losses—it is necessary to take all interests into consideration and work out a response plan that is plausible to address the known facts and provide the desired outcome within the required timeframe. As with all plans, it must be considered that whenever new analysis results become available, the new findings need to be reviewed. Indeed, the response plan will usually need to be changed to provide continuous orientation and guidance. But without such plan—unless the response is handled by one small organizational group with little requirement of external interfaces or other entities—the activities might not be carried out effectively or efficiently due to a lack of coordination.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Response plan establishment"
Function: Ad hoc measures and containment
The immediate challenge in case of an information security incident is to stop it from spreading. While systems are compromised or malware is active on end user systems, further data losses and more compromises occur. It is usually the main objective of attacks to reach out to specific data and systems, including attacks (including but not limited to lateral movements) to other organizations both inside and outside the organization suffering from the information security incident. Stopping or at least limiting the extent of any malicious activities or further losses requires short-term actions such as blocking or filtering traffic and removing access to specific services or systems, and can also result in the disconnection of critical systems. Denying further access to potentially critical evidence data will allow a full analysis of such evidence. Denying further access to other systems and networks will also limit the exposure from liability as a result of damage done to other organizations. Stopping immediate damage and limiting the extent of malicious activity through short-term tactical actions (for example, blocking or filtering traffic) can also involve regaining control of systems. As long as attackers or active malware have ready access to more systems or networks, no return to normal operation will be possible.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Ad hoc measures and containment"
Function: System restoration
Restore the integrity of affected systems and returning the affected data, systems, and networks to a non-degraded operational state, restoring the impacted services to full functionality. As business reality usually demands systems return to normal operation as soon as possible, there is a risk that not all means of unauthorized access have been removed successfully. Therefore, unless the analysis results are already available, even returned systems must be carefully monitored and managed. Especially if identified vulnerabilities and weaknesses cannot (yet) be eliminated, improved protection and detection mechanisms need to be applied to avoid the same or similar or types of information security incidents.
The tag is: misp-galaxy:first-csirt-services-framework="Function: System restoration"
Function: Other information security entities support
A CSIRT may provide direct (onsite) assistance to help the constituents to recover from losses and to remove vulnerabilities. This might be a direct extension of offering analysis services on-site (see above). On the other hand, a CSIRT might choose to support the staff of the constituents responding to the information security incident with more detailed explanations, recommendations, etc.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Other information security entities support"
Function: Communication
A CSIRT must account for the most accurate audience as communications are crafted and released. In return, a CSIRT must also be equipped to receive incoming feedback, reports, comments, and questions from a variety of sources based on its own communication. The security policy and the information sharing policy may require information to be handled in a strict manner. The CSIRT must be able to share with stakeholders in a reliable, secure, and private manner, both externally and internally. Non-disclosure agreements must be set up as far in advance as possible and communication resources set up accordingly. As an extension, the concept of “information under embargo” can also be used. Hence, a retention policy must also be established to ensure that both the data used to craft the information and the information itself are properly handled, shared, and kept based on constraints—such as time—until these constraints become void or the information is publicly disclosed. Communication channels can take multiple forms based upon the needs of stakeholders and constituents. All information communicated must be tagged according to the information sharing policy. Traffic Light Protocol may be utilized.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Communication"
Function: Notification distribution
A security incident touches on many internal and potentially external entities and, possibly, systems, and networks. As CSIRTs are a central point for receiving reports of potential information security incidents, they also serve as a hub for notifying authorized points of contact about them. The notification usually will provide not only the appropriate technical details but also information about the expected response and a point of contact for any fellow-up.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Notification distribution"
Function: Relevant information distribution
As the response to an information security incident progresses, more analysis results and reports from potentially other security experts, CSIRTs, or victims become available. It may be helpful to pass some of the information and lessons learned on to the Knowledge Transfer Service Area (if supported) to improve training and technical documents as well as to help create appropriate awareness, especially if new attacks or incident trends are identified.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Relevant information distribution"
Function: Activities coordination
As many entities are potentially involved in responding to an information security incident, it is necessary to track the status of all communication and activities. This involves the actions requested by a CSIRT or requests for sharing of further information as well as requests for technical analysis of artefacts s or the sharing of indicators of compromise, information about other victims, etc. This primarily occurs when the CSIRT is reliant on expertise and resources outside of the direct control of the CSIRT to effectuate the actions necessary to mitigate an incident. But it also occurs inside larger organizations for which an internal CSIRT coordinates the mitigation and recovery activities. By offering bilateral or multilateral coordination, the CSIRT participates in the exchange of information to enable those resources with the ability to take action to do so or to assist others in the detection, protection, or remediation of ongoing activities from attackers and help to close the information security incident.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Activities coordination"
Function: Reporting
Delivering concise and factual information about the current status of activities requested or carried out in response to an information security incident. Instead of waiting to be pulled for such information as part of an ongoing coordinated action as required for any successful response, timely reports are critical to enable effective coordination.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Reporting"
Function: Media communication
Communicating with the media is unavailable in many cases. While CSIRTs usually try to avoid such contact, it is important to realize that the media can help to mitigate specific types of ongoing and large-scale attacks causing information security incidents. For this it is necessary to explain what is causing the information security incidents and explain the impact on users and/or organizations. In some cases, a CSIRT might choose to provide this information already in a manner suitable for release to the public, but this certainly requires specific skills inside the CSIRT not readily available in most. In any case, if a CSIRT communicates with the media, it must take great care to simplify the technical issues as much as possible and leave out all confidential information.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Media communication"
Function: Information distribution to constituents
As the response to a crisis progresses, information must be distributed and disseminated. As the CSIRT has established such resources for its own purposes, crisis management may see it as appropriate or necessary to use such resources.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information distribution to constituents"
Function: Information security status reporting
The function involves delivering concise and factual information about the current status of cyber security inside the constituency. As a crisis might be used to start other attacks or as occurring attacks might be part of the overall activities leading this crisis, it is very important for the crisis management team to establish complete situational awareness. The CSIRT can provide such situational awareness for its services and constituents. This may either be requested or is expected by standard policies in a time of crisis. In any case, as crisis management is only successful based on the established information flow as it depends on coordinate resources to address the most critical aspects of the crisis, reporting must be timely and accurate. As ongoing information security incidents will require resources to handle them, a decision must be taken to either discontinue the response for the duration of the incident (and allocate the now available resources to other areas) or to carry on. Reasonable decisions can only be taken based on the best situational awareness available.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security status reporting"
Function: Strategic decisions communication
Informing other entities in a timely manner about the impact caused by the crisis on currently open information security incidents provides a clear understanding of what support can also be provided by the CSIRT during the duration of the crisis, and makes sure that entities understand what to expect. It also makes sure that other parties stop their support or interaction with the CSIRT as they might believe that the crisis is taking over. As the crisis management team may decide to postpone the response to an actual information security incident due to a crisis, such decisions need to be communicated to all entities currently informed and participating. This is to avoid misunderstandings and further issues that may also lead to a loss of trust in the CSIRT and/or host organization.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Strategic decisions communication"
Function: Incident response vulnerability discovery
During the course of analyzing a security incident, information may be discovered that indicates that a vulnerability was exploited by the attacker. An incident may have been enabled through exploitation of a known vulnerability that was previously unpatched or unmitigated; or it may be due to a new (zero-day) vulnerability. Some of this vulnerability information might be received as an output from one of the services of the Information Security Incident Management service area if a vulnerability was exploited as part of an incident. The information can then be passed on to the Vulnerability Triage function or the Vulnerability Analysis service, as appropriate.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Incident response vulnerability discovery"
Function: Public source vulnerability discovery
A CSIRT may initially learn about a new vulnerability from various public sources that announce such information. The sources can include vendor announcements, security websites, mailing lists, vulnerability databases, security conferences, social media, etc. This function may also learn of new vulnerabilities through other third-party sources that may not be completely open to the public, such as through paid subscriptions or premium services where information is shared with only a limited group. Staff may be assigned the responsibility to perform this function and collect information to organize it for further review and sharing. Similar vulnerability information might also be received from the services of the Situational Awareness service area.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Public source vulnerability discovery"
Function: Vulnerability research
This function includes the discovery of new vulnerabilities as a result of specific CSIRT activities, such as the testing of systems or software using fuzz testing (fuzzing), or through the reverse engineering of malware. This function may also receive input from the service(s) of the Information Security Incident Management service area or the Situational Awareness service area that would initiate this function to look for suspected vulnerabilities. The discovery of a new vulnerability as a result of this vulnerability research function may become input to the Incident Response service, Vulnerability Detection function (see sub-functions for Vulnerability Scanning and Vulnerability Penetration Testing).
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability research"
Function: Vulnerability report receipt
Effective intake of vulnerability reports requires mechanisms and processes to receive the reports from constituents, stakeholders, and third parties (finders, researchers, vendors, PSIRTs, other CSIRTs or vulnerability coordinators, etc.). Vulnerability information may include affected devices, conditions necessary to exploit the vulnerability, impact (e.g., privilege escalation, data access, etc.), as well as actions taken to resolve the vulnerability, remediation and/or mitigation steps, and resolution. Occasionally, vulnerability information may be received jointly as part of the input to other services, most notably the Information Security Incident Report Intake (e.g., if a vulnerability is reported to be exploited as part of an incident report).
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability report receipt"
Function: Vulnerability report triage and processing
Vulnerability Reports are reviewed and triaged to obtain an initial understanding of the vulnerability in question and determine what to do next (e.g., process the vulnerability for further analysis, seek additional information from the reporter or other sources, decide that the vulnerability needs no further action). Depending on the amount of detail and quality of the information provided in the vulnerability report, it may or not be obvious whether a new vulnerability exists. Unless there is a reason to decline a vulnerability report, the report should be passed on to the Vulnerability Analysis service for further review, analysis, and handling. If the CSIRT does not provide a Vulnerability Analysis service, then the report should be securely forwarded to an external group for handling, such as the affected vendor(s), PSIRT(s), or a vulnerability coordinator.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability report triage and processing"
Function: Vulnerability triage (validation and categorization)
The Vulnerability Analysis service begins with a review of the available information to categorize, prioritize, and assess whether a vulnerability has some impact on the involved systems and is relevant to the CSIRT’s mandate. Some of this may have been documented during the Vulnerability Report Triage and Processing function (of the Vulnerability Report Intake service) if the vulnerability was reported to the CSIRT by a constituent or third party. If prior triage has not already been completed, the vulnerability may be assigned to a subject matter expert who can provide technical confirmation that it has some impact on the involved systems and is relevant to the CSIRT’s mandate (i.e., the potential security impact on networks or systems that can result in damage to the confidentiality, availability, or integrity of information assets in an area of the CSIRT according to its mandate).
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability triage (validation and categorization)"
Function: Vulnerability root cause analysis
The goal of this analysis is to identify the root cause of the vulnerability, identifying the circumstances that allow a vulnerability to exist, and in which circumstances an attacker can consequently exploit the vulnerability. This analysis may also attempt to understand the weakness(es) leveraged to instigate an incident and the adversarial tradecraft utilized to leverage that weakness. Depending on the nature of the vulnerability, it may be difficult for a CSIRT to perform this function thoroughly. In some cases, this function may have already been performed by the finder or reporter of the vulnerability. In many situations, this function may best be conducted by the product vendor or developer of the affected software or system or their respective PSIRT. It is also possible that a vulnerability is present in more than one product, in which case multiple analyses may be needed of the affected software or systems, requiring coordination with multiple vendors, PSIRTs, or stakeholders.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability root cause analysis"
Function: Vulnerability remediation development
This function will ideally identify a remediation or a fix for a vulnerability. If a vendor patch or fix is not available in a timely manner, a temporary solution or workaround, called a mitigation, may be recommended, such as disabling the affected software or making configuration changes, to minimize the potential negative effects of the vulnerability. Note that the actual application or deployment of a remediation (patch) or mitigation (workaround) is a function of a separate service, called Vulnerability Response in this framework. As part of the Vulnerability Analysis service and Remediation Development, this function may optionally include other sub-functions or activities, such as validating the changing of a procedure or design, reviewing remediation by a third party, or identifying any new vulnerabilities introduced in the remediation steps. Vulnerabilities that are not remediated or mitigated should be documented as acceptable risks. This function will often receive information or input from the affected product’s vendor(s), sometimes as part of the initial report or announcement handled by other services or functions.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability remediation development"
Function: Vulnerability notification/reporting
The handling of most vulnerabilities involves notifying, working with, and coordinating the exchange of relevant information with multiple parties including the affected vendors, developers, PSIRTs, or other trusted experts (e.g., researchers, CSIRTs, vulnerability coordinators) who can work together to analyze and fix the vulnerability.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability notification/reporting"
Function: Vulnerability stakeholder coordination
Coordinate the exchange of information among the finders/researchers, vendors, PSIRTS, and any other participants in the coordinate vulnerability disclosure (CVD) efforts to analyze and fix the vulnerability and prepare for the disclosure of the vulnerability. This coordination should also include agreement by participants on the timing and synchronization of the disclosure.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability stakeholder coordination"
Function: Vulnerability disclosure policy and infrastructure maintenance
CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability disclosure policy and infrastructure maintenance"
Function: Vulnerability announcement/communication/dissemination
Disclose vulnerability information to defined constituents. The disclosure can be made through any or all of the mechanisms identified in the vulnerability disclosure policy. Dissemination mechanisms can vary depending on the needs or expectations of the target audience. The communication can be in the form of an announcement or security advisory distributed via email or text messaging, a publication posted to a website or social media channel, or other communication forms and channels as appropriate. Content to be included in the disclosure should follow a defined format, which typically can include information such as an overview or description, a unique vulnerability identifier, impact, severity, or CVSS score, resolution (remediation or mitigation), and supporting references or materials.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability announcement/communication/dissemination"
Function: Post-vulnerability disclosure feedback
Following the disclosure of a new vulnerability, CSIRTs can expect to receive follow-on communications in the form of questions from some constituents about a vulnerability document. The questions may indicate a need for clarification, revision, or amendment of the vulnerability disclosure mechanism, if warranted. Information from constituents may simply be an acknowledgement or receipt of the vulnerability document, or the constituent may report an issue or difficulty in deploying the suggested remediation/mitigation. If the vulnerability was determined to have been already exploited, constituents may be reporting newly discovered incidents as a result of the vulnerability disclosure. Such reports should feed into the functions of the CSIRT’s Incident Reporting service.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Post-vulnerability disclosure feedback"
Function: Vulnerability detection / scanning
The goal of this function is to detect any previously unpatched or unmitigated vulnerabilities before they are exploited or impact the network or devices. This function may be initiated in response to an announcement about a new vulnerability, or it may be achieved as part of a periodically scheduled scan for known vulnerabilities. In order to provide vulnerability detection effectively, it is useful to have a systems inventory. Having such an inventory that can be queried for software version information can enable an organization to quickly assess the likely prevalence of a newly reported vulnerability in its infrastructure.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability detection / scanning"
Function: Vulnerability remediation
Vulnerability remediation is intended to resolve or eliminate a vulnerability. For software vulnerabilities, this typically occurs through the deployment and installation of vendor-provided solutions in the form of software updates or patches. When approved patches are unavailable or cannot be deployed, an alternative mitigation or workaround may be applied as a countermeasure to prevent exploitation of the vulnerability. This function often follows a positive identification of a vulnerability as the result of the Vulnerability Detection/Scanning/Hunting function.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Vulnerability remediation"
Function: Policy aggregation, distillation, and guidance
The collection, aggregation, and distillation of policy establishes the basis of acceptable normal activity. The end result is a context that establishes how the constituency and its infrastructure is supposed to be operating under acceptable conditions. For organizational CSIRTs, context includes understanding the organizations acceptable policies, plans, normal operating conditions, accepted risks, and tradeoffs. Understanding and context establish the basis against which observations can be evaluated.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Policy aggregation, distillation, and guidance"
Function: Asset mapping to functions, roles, actions, and key risks
CSIRT teams need to understand the current cyber security state of a constituency, and have a good understanding of what is acceptable security. They may need to know: Legitimate users of internal and public-facing systems and devices Authorized devices and what they are used for Approved processes and applications, where they are allowed, and how they serve the constituency This information helps establish prioritization of assets that are potentially at risk, which can provide context for incident management activities. The more precise the information available to CSIRT team, the easier it will be to infer security issues and do something about them. Precise information may mean the CSIRT having access to established security policies, current access controls, up-to-date hardware and software inventories, and detailed network diagrams.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Asset mapping to functions, roles, actions, and key risks"
Function: Collection
Information and data collection activities extend beyond feeds providing automated information. Collection includes identifying useful sources such as information-relevant external activities including news from other constituencies, media sources, and other CSIRTs or security organizations, internal activities (e.g., organizational changes), technology developments, external events, political events, attack trends, defensive trends, conferences, available training, and more. The data collection function supports other services such as Security Event Management, Incident Management, and Knowledge Transfer. It also supports functions and activities within these services such as analysis, prediction, response, and risk mitigation. Newly collected information may reveal that an attack on a constituent is more likely than before. External events may expose information that identifies new risks to assets for a period of time or require heightened detection activities. Overall the information helps provide actionable information to aid in decision making and incident handling.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Collection"
Function: Data processing and preparation
Data processing and preparation includes transformation, processing, normalization, and validation of a set of data. Sources of cybersecurity data need to be validated for accuracy often due to a high number of false positives. The relevant data also typically comes in different formats, and new data needs to be combined with historical data before a complete analysis can be performed. Some types of data (such as news articles) may need to be analyzed or processed as part of the preparation process. One example would be extracting relevant security information from a news article (e.g., names, dates, places, technical information, weaknesses, system names) and comparing it with internal data for potential impacts. Some analysis methods require data to be stored in the same format, or for files to have the same number of records. There are multiple processing steps that may be involved to prepare the data. Data augmentation (also called enrichment) is performed by including other available information related to a given piece of data from other internal and external sources. For example, teams may collect information related to internet protocol addresses (IP addresses) such as autonomous system identifiers, country codes, or geo-location data. For internal asset information, teams may enrich their asset inventory data with the name of the asset owner, their role, their permissions on other assets, their physical working location over time, and more.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Data processing and preparation"
Function: Projection and inference
The process of inferring the current state of a situation and making predictions about the possible likely near-term pictures based on the status and dynamics of the collected data. Sometimes the data may quickly show a security issue.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Projection and inference"
Function: Event detection (through alerting and/or hunting)
The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services. CSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Event detection (through alerting and/or hunting)"
Function: Information security incident management decision support
Performing analysis of specific evidence assists in identifying insights to support incident resolution. Sometimes, CSIRTs may focus their situational analysis to support a specific desired outcome such as incident resolution. Certain responses to an incident may affect a situational picture differently, and responders may ask for analysis (e.g., impact, cost, risk of failure) of choices. The decision-making needs of the constituency may change as their situational picture evolves, and the CSIRT team may initiate new analysis processes to assist them. This activity is related to the Incident Management Service Area. Incident Management functions are supported by Situational Awareness and the situational picture may change based upon Incident Management activities.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information security incident management decision support"
Function: Situational impact
This function identifies the impact a projection or inference may have upon a current or near-term future situation. An impact may include raising or lowering certain risks such as data loss, system downtime, or effects on data confidentiality/availability/integrity.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Situational impact"
Function: Internal and external communication
Once the results of Analyze and Interpret are complete, they can be used to improve decision-making via both internal and external communication processes. Specific pieces of information are distributed based upon who needs to know them. Communication includes the method of delivery and the content that is being delivered. A CSIRT team might communicate new information and how it will change the situational picture. An example of this would be reporting the expected change a new malicious technique it has observed during an incident would have upon a constituent member. It may also include trend information such as the most useful sources of enrichment data and steps in which constituents can use it to improve their own situational awareness.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Internal and external communication"
Function: Reporting and recommendations
Reports and recommendations should clearly indicate the choices and actions faced by constituents, and include analysis of the expected consequences of each choice or action. Communication of findings should include a list of evidence supporting the analysis and the recommendation (if a recommendation is made). The methods used to create the findings should be clearly explained to the audience so they can also judge the claims presented. The CSIRT team may create reports on a single event, a series of events, trends, patterns, possible events, or more to support the needs for their constituency to understand a situational picture.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Reporting and recommendations"
Function: Implementation
In some instances, a CSIRT team may also perform the recommended adjustments to parts of the security infrastructure, for example changing the firewall rules on a particular honey pot based upon situational analysis.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Implementation"
Function: Dissemination / integration / information sharing
This function may include the following sub-functions: using the results of the analysis service in internal and external planning and decision-making processes identifying the right targets to receive the information making the analysis results available ensuring the delivery is successful tracking and reporting on the sharing of information sending relevant information to the Knowledge Transfer service for further use and dissemination
The tag is: misp-galaxy:first-csirt-services-framework="Function: Dissemination / integration / information sharing"
Function: Management of information sharing
This function may include the following sub-functions: providing information to other groups. formatting information for transfer. tracking transfer process and its outcome.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Management of information sharing"
Function: Feedback
This function involves providing and receiving feedback on information provided, received, and used by the constituency, other service providers or other stakeholders. Was the information received accurate, applicable, timely, strategic, new/novel, etc.? Was it helpful in resolving an investigation? Did it lead to a new insight? This may mean providing information also to other CSIRT (as an external source) on the usefulness of or changes to signatures, honeypot findings, IOCs, warnings, threat information, mitigations, etc. This activity may also be performed by the Knowledge Transfer service area. If so, the results should be communicated back to the Situational Awareness service area.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Feedback"
Function: Research and information aggregation
This function involves researching and aggregating information relevant for building awareness materials and reports, including from outcomes of other services/functions, especially from the Security Event Management, Incident Management, and Situational Awareness service areas.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Research and information aggregation"
Function: Reports and awareness materials development
This function involves developing materials for diverse audiences (technical staff, management, end users, etc.) and in various formats, such as presentations, short videos, cartoons, booklets, technical analysis, trend reports, and annual reports.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Reports and awareness materials development"
Function: Information dissemination
The function involves implementing a process of information dissemination that can help the CSIRT to best deliver its reports and awareness materials to its constituency based on the characteristics of different audiences and content.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Information dissemination"
Function: Outreach
This function involves building partnerships, promoting cooperation, and engaging key stakeholders, internal or external to the constituency, with the goal of: disseminating awareness and best practices; helping the constituency and external stakeholders understand the services and benefits a CSIRT can provide; helping the CSIRT to better understand constituents’ needs; and enabling the realization of CSIRT’s mission. This may involve ensuring interoperability or fostering collaboration between or across organizations.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Outreach"
Function: Knowledge, skill, and ability requirements gathering
The function involves collecting knowledge, skill, and ability (KSA) needs and the competence of a constituency in regard to determining what training and education should be provided.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Knowledge, skill, and ability requirements gathering"
Function: Educational and training materials development
This function involves building or acquiring content of educational and training materials such as presentations, lectures, demonstrations, simulations, videos, books, booklets, etc.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Educational and training materials development"
Function: Content delivery
This function involves the transfer of knowledge and content to “students.” This can occur via various methods, such as computer-based/online training (CBT/WBT), instructor-led, virtual, conferences, presentations, labs, capture the flag (CTF) competitions, books, online videos, etc.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Content delivery"
Function: Mentoring
A Mentoring program can help provide a formal as well as informal mechanism for the mentor to share with the mentee about education and skill development, insights, and life and career experiences outside of the official reporting relationship and structure of the team. This can involve on-site visits, rotation (exchange), shadowing, and discussing rationale for specific decisions and actions.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Mentoring"
Function: CSIRT staff professional development
Once the appropriate skills have been identified, professional development is used by a CSIRT to promote a continuous process of securing new knowledge, skills, and abilities that relate to the security profession, unique job responsibilities, and the overall Team environment. This can include attending conferences, advanced training, and cross-training activities, among others.
The tag is: misp-galaxy:first-csirt-services-framework="Function: CSIRT staff professional development"
Function: Requirements analysis
Determine the learning objectives and scope of the exercise. Define the specific services, capabilities, and topics to be covered by the exercise. Ensure exercise includes activities and topics that relate to required or desired skills needed by the participants, as well as the processes that should be tested.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Requirements analysis"
Function: Format and environment development
Define the format and platform needed to meet the objectives and deliver the expected outcomes of the exercise.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Format and environment development"
Function: Scenario development
Development of exercise scenarios in support of stakeholder objectives. Deliverables also include instructions and guidance to the participants and exercise managers; these instructions include recommended actions for the participants detailing some/all scenario steps.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Scenario development"
Function: Exercises execution
The function involves performing readiness testing of constituent “students” to test their ability to apply training and perform job or task functions. Can be in the form of real or virtual environments, simulations, field tests, table tops, mock scenarios, or a combination, with injects being provided in a structured manner. This will also help determine the level at which the team is operating, as well as if and where it has room for improvement.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Exercises execution"
Function: Exercise outcome review
Develop an after-action report which includes lessons learned or findings/best practices from the exercise, and provide an assessment to the stakeholders/management.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Exercise outcome review"
Function: Risk management support
Support to activities related to assessing risk or compliance. This may include conducting an actual assessment or providing support to evaluate the results of an assessment.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Risk management support"
Function: Business continuity and disaster recovery planning support
Support the constituency in the activities related to organizational resilience, based on risks identified.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Business continuity and disaster recovery planning support"
Function: Policy support
This function supports the constituency in the development, maintenance, institutionalization, and enforcement of policies, while ensuring they enable and support incident management activities. For internal CSIRTs, this typically includes support for information security and other operating policies. For coordinating and National CSIRTs, this might include support for public policies and new legislation.
The tag is: misp-galaxy:first-csirt-services-framework="Function: Policy support"
Function: Technical advice
This function provides support and recommendations for the improvement of cybersecurity related infrastructures, tools, and services for its constituency, with the goal of improving the security posture and incident management overall. This might include advice on security considerations for acquisition, compliance verification, maintenance, and upgrades internal and external audits of cybersecurity related infrastructures and tools secure software development requirements and secure coding
The tag is: misp-galaxy:first-csirt-services-framework="Function: Technical advice"
FIRST DNS Abuse Techniques Matrix
The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information..
FIRST DNS Abuse Techniques Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
FIRST.org - Andrey Meshkov (AdGuard) - Ángel González (INCIBE-CERT) - Angela Matlapeng (bwCSIRT) - Benedict Addis (Shadowserver) - Brett Carr (Nominet) - Carlos Alvarez (ICANN; founding member) - David Ruefenacht (Infoguard) - Gabriel Andrews (FBI) - John Todd (Quad9; current co-chair of DNS Abuse SIG) - Jonathan Matkowsky (RiskIQ / Microsoft; former co-chair) - Jonathan Spring (CISA; current co-chair of DNS Abuse SIG) - Mark Henderson (IRS) - Mark Svancarek (Microsoft) - Merike Kaeo (Double Shot Security) - Michael Hausding (SWITCH-CERT; former co-chair, current FIRST board member) - Peter Lowe (DNSFilter; current co-chair of DNS Abuse SIG) - Shoko Nakai (JPCERT/CC) - Swapneel Patnekar (Shreshta IT) - Trey Darley (FIRST board; founding member)
DGAs
DGAs - Domain Generation Algorithm
The tag is: misp-galaxy:first-dns="DGAs"
Links |
Domain name compromise
The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.
The tag is: misp-galaxy:first-dns="Domain name compromise"
Links |
Lame delegations
Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.
The tag is: misp-galaxy:first-dns="Lame delegations"
Links |
https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/ |
DNS cache poisoning
DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver’s cache by injecting false DNS records, causing the resolver to records controlled by the attacker.
The tag is: misp-galaxy:first-dns="DNS cache poisoning"
Links |
DNS rebinding
DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim’s local resources.
The tag is: misp-galaxy:first-dns="DNS rebinding"
Links |
DNS server compromise
Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.
The tag is: misp-galaxy:first-dns="DNS server compromise"
Stub resolver hijacking
The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.
The tag is: misp-galaxy:first-dns="Stub resolver hijacking"
Local recursive resolver hijacking
Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.
The tag is: misp-galaxy:first-dns="Local recursive resolver hijacking"
On-path DNS attack
Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.
The tag is: misp-galaxy:first-dns="On-path DNS attack"
Links |
https://www.imperva.com/learn/application-security/dns-hijacking-redirection/ |
DoS against the DNS
Multiple systems sending malicious traffic to a target at the same time.
The tag is: misp-galaxy:first-dns="DoS against the DNS"
DNS as a vector for DoS
Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented. These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.
The tag is: misp-galaxy:first-dns="DNS as a vector for DoS"
Links |
Dynamic DNS resolution
Dynamic DNS resolution (as obfuscation technique) - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control.
The tag is: misp-galaxy:first-dns="Dynamic DNS resolution"
Links |
Dynamic DNS resolution: Fast flux
Dynamic DNS resolution: Fast flux (as obfuscation technique) - Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.
The tag is: misp-galaxy:first-dns="Dynamic DNS resolution: Fast flux"
Links |
Infiltration and exfiltration via the DNS
Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain’s zone file information and configured to receive and respond to the queries sent by the compromised devices.
The tag is: misp-galaxy:first-dns="Infiltration and exfiltration via the DNS"
Malicious registration of (effective) second level domains
For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.
The tag is: misp-galaxy:first-dns="Malicious registration of (effective) second level domains"
Links |
Creation of malicious subdomains under dynamic DNS providers
Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. S
The tag is: misp-galaxy:first-dns="Creation of malicious subdomains under dynamic DNS providers"
Links |
Compromise of a non-DNS server to conduct abuse
-
Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.
The tag is: misp-galaxy:first-dns="Compromise of a non-DNS server to conduct abuse"
Spoofing or otherwise using unregistered domain names
In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.
The tag is: misp-galaxy:first-dns="Spoofing or otherwise using unregistered domain names"
Spoofing of a registered domain
In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.
The tag is: misp-galaxy:first-dns="Spoofing of a registered domain"
DNS tunneling
DNS tunneling - tunneling another protocol over DNS - The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic.
The tag is: misp-galaxy:first-dns="DNS tunneling"
Links |
DNS beacons - C2 communication
DNS beacons - C2 communication - Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.
The tag is: misp-galaxy:first-dns="DNS beacons - C2 communication"
GSMA MoTIF
Mobile Threat Intelligence Framework (MoTIF) Principles. .
GSMA MoTIF is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
GSMA
Monitor Radio Interface
The adversaries may monitor radio interface traffic to passively collect information about the radio network configuration or about subscribers in close vicinity of the adversary. (1), (2), (3), (4).
The tag is: misp-galaxy:gsma-motif="Monitor Radio Interface"
Links |
(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Kumar, P. et.al. (2021). Murat: Multi-RAT False Base Station Detector (Section IIB) (4) Rupprecht, D. et.al. (2018). On Security Research Towards Future Mobile Network Generations. (Section III D)[(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Kumar, P. et.al. (2021). Murat: Multi-RAT False Base Station Detector (Section IIB) (4) Rupprecht, D. et.al. (2018). On Security Research Towards Future Mobile Network Generations. (Section III D)] |
Broadcast Channel
In mobile networks the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the physical cell ID (PCI), neighbouring cells, frequencies used, Tracking Area Codes (TAC). (1), (2), (3), (4)
The tag is: misp-galaxy:gsma-motif="Broadcast Channel"
Links |
(1) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (2) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (3) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (4) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.[(1) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (2) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (3) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (4) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.] |
Gather Victim Identity Information
Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. In mobile networks, the adversary wants to obtain information about subscriber and phone identities to conduct more targeted attacks. Subscriber identity can be, for example, MSISDN, IMSI, GUTI, TMSI.
The tag is: misp-galaxy:gsma-motif="Gather Victim Identity Information"
Links |
(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts[(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts] |
ATT&CK Enterprise: Gather Victim Identity Information (T1589)[ATT&CK Enterprise: Gather Victim Identity Information (T1589)] |
Phone and Subscription Information
In mobile networks, targeted attacks towards subscribers have to be done using the subscriber identity. Obtaining the identity would allow the attacker to gather more information or initiate more targeted attacks. The adversary gathers phone or subscription related information about subscriber(s). Examples are phone number (MSISDN), IMSI (International Mobile Subscriber Identity), home mobile network operator, S@T browser availability on the UICC, IMEI (International Mobile Equipment Identity). The data might be acquired through interconnection, social engineering, social media or otherwise. (1)
The tag is: misp-galaxy:gsma-motif="Phone and Subscription Information"
Links |
(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts[(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts] |
ATT&CK Enterprise: Gather Employee Names (T1589.003),[ATT&CK Enterprise: Gather Employee Names (T1589.003),] |
Network Service Scanning
An adversary may discover operator network related information (identifiers). Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. In mobile networks, the adversary wants to obtain information about subscriber, signalling addresses, supported service at a certain server. The scan may take place from the Internet or the interconnection network or the radio network. Often automated mass scanning events take place.
The tag is: misp-galaxy:gsma-motif="Network Service Scanning"
Links |
(1) GSMA PRD IR.70 - SMS SS7 Fraud (Public)[(1) GSMA PRD IR.70 - SMS SS7 Fraud (Public)] |
ATT&CK Enterprise: Network Service Discovery (T1046), FiGHT: Network Service Scanning (FGT1046) NOTE: These two MITRE techniques are actually the same, however due to an error the FiGHT technique was renamed.[ATT&CK Enterprise: Network Service Discovery (T1046), FiGHT: Network Service Scanning (FGT1046) NOTE: These two MITRE techniques are actually the same, however due to an error the FiGHT technique was renamed.] |
Scan Signalling Addresses
By sending signalling messages to the network, the adversary tries to check if mobile network nodes leak node or network related information, or bypasses defences ((1) (2) below). Using this sub-technique as a preparatory step, the adversary can then tune his further attack steps to send specific attack messages based on this scan. Examples are SS7 scans to evaluate if a Global Title is in use or not. The adversary may also probe which PLMN-ID values are accepted by the HPLMN in Diameter Authentication Information Request (AIR).
The tag is: misp-galaxy:gsma-motif="Scan Signalling Addresses"
Links |
(1) Enea. (2017). Designated Attacker - Evolving SS7 Attack Tools (2) Enea. (2018). Diameter Signalling Security - Protecting 4G Networks[(1) Enea. (2017). Designated Attacker - Evolving SS7 Attack Tools (2) Enea. (2018). Diameter Signalling Security - Protecting 4G Networks] |
ATT&CK Enterprise: IP Block Scanning (T1595.001)[ATT&CK Enterprise: IP Block Scanning (T1595.001)] |
Search Closed Sources
Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black markets. Adversaries may search and collect information about the mobile network operator from closed or semi-closed sources. Typical examples are GSMA IR.21, IR.85, FS.30 or T-ISAC, information from insiders or partners. The information acquisition might be done legally or illegally.
The tag is: misp-galaxy:gsma-motif="Search Closed Sources"
Links |
(1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) (1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166 |
ATT&CK Enterprise: Search Closed Sources (T1597)[ATT&CK Enterprise: Search Closed Sources (T1597)] |
Mobile Network Operator Sources
The adversary may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, suppliers. The adversary may search in closed sources like GSMA roaming database RAEX IR.21 (1), IMEI database (2) or IR.85.
The tag is: misp-galaxy:gsma-motif="Mobile Network Operator Sources"
Links |
(1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) (1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166 |
Acquire Infrastructure
Adversaries may buy, lease, or rent infrastructure that can be used during targeting. For example, commercial service providers exist that offer access to signalling infrastructure or sell False Base Station solutions. Use of these infrastructure solutions allows an adversary to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal.
The tag is: misp-galaxy:gsma-motif="Acquire Infrastructure"
Links |
(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world.[(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world.] |
ATT&CK Enterprise: Acquire Infrastructure (T1583)[ATT&CK Enterprise: Acquire Infrastructure (T1583)] |
Core Signalling Infrastructure Access
Adversaries may buy, lease, or rent SS7, Diameter, GTP-C signalling infrastructure access or services that can be used during targeting (1), (2), (3). Targeted attacks to mobile network operators may use ‘surveillance as a service’ specialists to achieve their goals (2). Their attacks often blend in with normal traffic coming from partners of the victim mobile network operator and make attribution difficult. Fraudsters and spammers may use specific partner gateways or access to messaging servers for their purposes.
The tag is: misp-galaxy:gsma-motif="Core Signalling Infrastructure Access"
Links |
(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world. (2) CitizenLab. (2020). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. (3) TBIJ. (2021). Swiss tech company boss accused of selling mobile network access for spying. (4) Enea (2021) 5G Network Slicing Security in 5G Core Networks (5) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world. (2) CitizenLab. (2020). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. (3) TBIJ. (2021). Swiss tech company boss accused of selling mobile network access for spying. (4) Enea (2021) 5G Network Slicing Security in 5G Core Networks (5) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem] |
Radio Interface Access
Adversaries may buy, lease, or obtain physical access to a mobile operator network base station or use their own rogue cellular base (Stingray) station for launching an attack (2) (3). The adversary could set up a rogue cellular base station infrastructure and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique (1).
The tag is: misp-galaxy:gsma-motif="Radio Interface Access"
Links |
(1) DePerry, D. & Ritter T. (2013). I Can Hear You Now - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell. Black Hat USA2013 (2) Wired (2016). Here’s How Much a StingRay Cell Phone Surveillance Tool Costs (3) Alibaba.com. Wholesale imsi catcher 4g For Online Communication[(1) DePerry, D. & Ritter T. (2013). I Can Hear You Now - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell. Black Hat USA2013 (2) Wired (2016). Here’s How Much a StingRay Cell Phone Surveillance Tool Costs (3) Alibaba.com. Wholesale imsi catcher 4g For Online Communication] |
Develop Capabilities
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. In mobile networks adversary may develop false base stations (1), mobile exploits, core signalling exploitation tools (2), SIM card exploits, radio exploitation tools and other tools to initiate attacks.
The tag is: misp-galaxy:gsma-motif="Develop Capabilities"
Links |
(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO.[(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO.] |
ATT&CK Enterprise: Develop Capabilities (T1587).[ATT&CK Enterprise: Develop Capabilities (T1587).] |
Mobile Network Tool
Adversary develops special tools for mobile networks that carry out and deliver mobile network targeted exploits. (1) (2)
The tag is: misp-galaxy:gsma-motif="Mobile Network Tool"
Links |
(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mobileum. (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) Motherboard. (2018). Here’s How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mobileum. (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem] |
N/A[N/A] |
Exploit Interconnection Link
The adversary may get access to the target network via the interconnection interface.
The tag is: misp-galaxy:gsma-motif="Exploit Interconnection Link"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal.[(1) P1 Security. (2021). All authentication vectors are not made equal.] |
International Direct Signalling Link
The adversary may get access to the target network via a direct signalling link connected to the international exchange.
The tag is: misp-galaxy:gsma-motif="International Direct Signalling Link"
Links |
(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) P1 Security. (2021). All authentication vectors are not made equal.[(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) P1 Security. (2021). All authentication vectors are not made equal.] |
National Direct Signalling Link
The adversary may get access to the target network via a direct signalling link connected to the national exchange.
The tag is: misp-galaxy:gsma-motif="National Direct Signalling Link"
Links |
(1) P1 Security. (2014). SS7map: mapping vulnerability of the international mobile roaming infrastructure[(1) P1 Security. (2014). SS7map: mapping vulnerability of the international mobile roaming infrastructure] |
Exploit via Core Signalling Interface
The adversary may access the target network by exploiting signalling (i.e. control plane) protocols.
The tag is: misp-galaxy:gsma-motif="Exploit via Core Signalling Interface"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal.[(1) P1 Security. (2021). All authentication vectors are not made equal.] |
SS7 Protocol
The adversary may access the target network by using SS7 protocol.
The tag is: misp-galaxy:gsma-motif="SS7 Protocol"
Links |
(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.[(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO. (3) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.] |
Diameter Protocol
The adversary may access the target network by using Diameter protocol.
The tag is: misp-galaxy:gsma-motif="Diameter Protocol"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.] |
HTTPS/2 Protocol
The adversary may access the target network by using HTTPS/2 protocol.
The tag is: misp-galaxy:gsma-motif="HTTPS/2 Protocol"
Links |
(1) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..[(1) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..] |
Trusted Relationship
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationship exploits an existing connection that may not be protected or requires more complicated defence mechanisms to detect and prevent unauthorized access to a network. (1) (2)
The tag is: misp-galaxy:gsma-motif="Trusted Relationship"
Links |
(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO[(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe’s NSO] |
ATT&CK Enterprise: Trusted Relationship (T1199)[ATT&CK Enterprise: Trusted Relationship (T1199)] |
Exploit Interconnection Agreements
The technique can be conducted by malicious partner or adversaries with access to interconnection networks or roaming partner’s mobile network. The adversary can remotely conduct the attacks by launching signalling messages e.g. related to location tracking, communication interception, or subscriber identify retrieval. (1), (2), (3)
The tag is: misp-galaxy:gsma-motif="Exploit Interconnection Agreements"
Links |
(1) P1 Security (2021). All authentication vectors are not made equal. (2) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (3) Lighthouse Reports. (2022). Revealing Europe’s NSO (4) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor[(1) P1 Security (2021). All authentication vectors are not made equal. (2) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (3) Lighthouse Reports. (2022). Revealing Europe’s NSO (4) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor] |
Exploit via Radio Interface
Adversaries may use the radio access network to initiate attacks towards the UE or the mobile network.(1) (2) (3) The adversary may leverage vulnerabilities in the protocols that make up the signalling procedures in a radio network, for example network information (SIB1) messages, or the RRC protocol, or NAS protocols to initiate attacks towards the UE or the mobile network.
The tag is: misp-galaxy:gsma-motif="Exploit via Radio Interface"
Links |
(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.[(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.] |
ATT&CK Mobile: Exploit via Radio Interfaces (T1477). Note: Deprecated[ATT&CK Mobile: Exploit via Radio Interfaces (T1477). Note: Deprecated] |
AS Signalling
Adversaries may modify or trigger control plane procedures on the radio interface control plane using Access Stratum (AS) signalling that occurs between the UE and the base station.
The tag is: misp-galaxy:gsma-motif="AS Signalling"
Links |
(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks[(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks] |
NAS Signalling
Adversaries may modify or trigger Non-Access-Stratum (NAS) signalling related procedures that is generated from a false base station infrastructure. The adversary may impersonate core network elements (such as MME) towards the UE or UE towards the core network elements.
The tag is: misp-galaxy:gsma-motif="NAS Signalling"
Links |
(1) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks[(1) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks] |
Radio Broadcast Channel (SIB1)
The adversary leverages the radio broadcast System Information Block1 messages (SIB1) to advertise to the target UEs new cell configuration that in return forces the UE to initiate different procedures like for example, cell re- selection or Tracking Area Update.(1), (2), (3)
The tag is: misp-galaxy:gsma-motif="Radio Broadcast Channel (SIB1)"
Links |
(1) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (2) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.[(1) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (2) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.] |
Identify Subscriber
An adversary may obtain a subscriber permanent or temporary identifier via various means. An adversary may obtain the subscriber identifier by using HLR Lookup, or by monitoring the radio interface. An adversary may obtain identifying information from 5G UEs only after the UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International Subscriber Identifier) in the clear over the radio interface. The 5G UE sends an encrypted permanent identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface as part of the initial registration to the 5G network. Some non-UE specific information is part of the Subscriber Permanent Identifier or SUPI and is not encrypted (e.g., home network name).
The tag is: misp-galaxy:gsma-motif="Identify Subscriber"
Links |
(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network[(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network] |
Subscriber Profile Identifier Discovery: Intercept bid-down SUPI |
MITRE FiGHT™ *= This is the same Technique as MITRE FiGHT, however a different name is used, MITRE FiGHT may potentially update in the future[Subscriber Profile Identifier Discovery: Intercept bid-down SUPI |
MITRE FiGHT™ *= This is the same Technique as MITRE FiGHT, however a different name is used, MITRE FiGHT may potentially update in the future] |
Trigger Subscriber Terminated Activity
The adversary can trigger mobile terminating activity, such as making calls to the subscriber’s profile (1), sending silent SMS (2), or trigger notifications from the instant messengers (1), to trigger paging of the subscriber. The technique can be made more stealthy by using silent phone calls or silent SMSs (2) (3), The adversary can monitor the paging activity in the radio network and use that information to correlate the paging with the for identifying the target subscriber identifier.
The tag is: misp-galaxy:gsma-motif="Trigger Subscriber Terminated Activity"
Links |
(1) Shaik, A. et al. (2016). Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. (2) Nohl, K. & Munaut, S. (2010) GSM Sniffing. 27th CCC. (3) Hussain, S. et al. (2019) Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.[(1) Shaik, A. et al. (2016). Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. (2) Nohl, K. & Munaut, S. (2010) GSM Sniffing. 27th CCC. (3) Hussain, S. et al. (2019) Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.] |
N/A[N/A] |
Retrieve Subscriber Identity Information
The adversary can retrieve subscriber information such as the IMSI, MSISDN, SUPI, SUCI etc
The tag is: misp-galaxy:gsma-motif="Retrieve Subscriber Identity Information"
Links |
(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network[(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network] |
N/A[N/A] |
Retrieve Subscriber Network Information
The adversary can retrieve subscriber network information such as the current serving network element(s)
The tag is: misp-galaxy:gsma-motif="Retrieve Subscriber Network Information"
Links |
(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network[(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network] |
N/A[N/A] |
Masquerading
Adversaries may attempt to manipulate parameters in the control signalling to make them appear legitimate or benign to mobile subscribers, end nodes and/or security tools. Masquerading occurs when the parameter value is manipulated or abused for the sake of evading defences, or convincing the target to believe it is communicating with a spoofed entity. A typical masquerading operating is manipulation of the source node address.
The tag is: misp-galaxy:gsma-motif="Masquerading"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service.[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service.] |
ATT&CK Enterprise: Masquerading (T1036),[ATT&CK Enterprise: Masquerading (T1036),] |
Originating Entity Spoofing
The adversary may attempt to manipulate the originating address information, such as Global Title Address, Diameter Host or Realm information for the sake of evading defences. The adversary may attempt to manipulate the configured cell ID on the false base station to configure it to a known cell ID in the network to evade detection.
The tag is: misp-galaxy:gsma-motif="Originating Entity Spoofing"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (3) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (3) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor] |
Disguise Signalling Messages
The adversary can disguise its signalling messages in order to avoid detection and blocking of their attacks. Examples include using unexpected addresses, unexpected message format or unexpected message encoding.
The tag is: misp-galaxy:gsma-motif="Disguise Signalling Messages"
Links |
(1) Symsoft & P1 Security. (2018). SS7 and Diameter: Exploit Delivery over signalling protocols. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019[(1) Symsoft & P1 Security. (2018). SS7 and Diameter: Exploit Delivery over signalling protocols. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019] |
Unexpected Encoding
The adversary may use an unexpected encoding of the signalling message in order to bypass detection and any defences which may be in place.
The tag is: misp-galaxy:gsma-motif="Unexpected Encoding"
Links |
(1) Puzankov, K. (2019) Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019[(1) Puzankov, K. (2019) Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019] |
Access Subscriber Data
The adversary can collect several types of user-specific data. Such data include, for instance, subscriber identities, subscribed services, subscriber location or status.
The tag is: misp-galaxy:gsma-motif="Access Subscriber Data"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019[(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019] |
Subscriber Authentication Data
The adversary may acquire subscriber authentication information from mobile network registers, such as HLR/HSS/AuC or MSC/VLR, SGSN, MME. For example, the adversary may query subscriber keys, authentication vectors etc. and use this information to tailor further phases of the attack.
The tag is: misp-galaxy:gsma-motif="Subscriber Authentication Data"
Links |
(1) P1 Security. (2021). All authentication vectors are not made equal.[(1) P1 Security. (2021). All authentication vectors are not made equal.] |
Network Sniffing
Adversaries may sniff network traffic to capture information about an environment, including authentication material, base station configuration and user plane traffic passed over the network.
The tag is: misp-galaxy:gsma-motif="Network Sniffing"
Links |
(1) Kotuliak, M. et al. (2022) LTrack : Stealthy Tracking of Mobile Phones in LTE[(1) Kotuliak, M. et al. (2022) LTrack : Stealthy Tracking of Mobile Phones in LTE] |
Network Sniffing, Technique T1040 - Enterprise |
MITRE ATT&CK® Network Sniffing |
MITRE FiGHT™ (FGT1040)[Network Sniffing, Technique T1040 - Enterprise |
MITRE ATT&CK® Network Sniffing |
MITRE FiGHT™ (FGT1040)] |
Radio Interface
An adversary may eavesdrop on unencrypted or encrypted traffic to capture information to and from a UE. An adversary may employ a back-to-back false base station to eavesdrop on the communication and relay communication between the intended recipient and the intended source, over the radio interface. The adversary may also passively sniff the radio traffic and capture specific traffic that can be then, if possible, analyzed.(1) When operating a false base station the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the Physical Cell ID (PCI), neighbouring cells, frequencies used, Location Area Codes/Tracking Area Codes (LAC/TAC).(2) The adversary may use methods of capturing control plane or user plane traffic on the radio interface.
The tag is: misp-galaxy:gsma-motif="Radio Interface"
Links |
(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (3) P1 Security. (2021). All authentication vectors are not made equal.[(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (3) P1 Security. (2021). All authentication vectors are not made equal.] |
Network Sniffing: Radio interface |
MITRE FiGHT™ (FGT1040.501)[Network Sniffing: Radio interface |
MITRE FiGHT™ (FGT1040.501)] |
Locate Subscriber
An adversary may obtain the UE location using radio access or core network. Adversary may employ various means to obtain UE location (coarse, fine) using radio access or core network.
The tag is: misp-galaxy:gsma-motif="Locate Subscriber"
Links |
(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019 (3) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe[(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) Mc Daid, C. (2019). Simjacker – the next frontier in mobile espionage. VB2019 (3) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe] |
Location Tracking, Technique T1430 - Mobile |
MITRE ATT&CK® Locate UE |
MITRE FiGHT™ (FGT5012)[Location Tracking, Technique T1430 - Mobile |
MITRE ATT&CK® Locate UE |
MITRE FiGHT™ (FGT5012)] |
Core Network Function Signalling
An adversary in the core network exploits signalling protocols to obtain the location of the UE. User location tracking is part of normal cellular operation. Adversaries with access to core network or a core network function (NF) can misuse signalling protocols (e.g., SS7, GTP and Diameter or the SBI API calls), or exploit vulnerabilities in the signalling plane, in order to obtain location information for a given UE.
The tag is: misp-galaxy:gsma-motif="Core Network Function Signalling"
Links |
(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..[(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..] |
Locate UE: Core Network Function Signaling |
MITRE FiGHT™ (FGT5012.004)[Locate UE: Core Network Function Signaling |
MITRE FiGHT™ (FGT5012.004)] |
Search Open Websites/Domains
Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(1)(2)(3) Adversaries may gather subscription or residence related information about subscriber(s). Examples are phone number (MSISDN), home address, home mobile network operator. Adversaries may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, or suppliers (4).
The tag is: misp-galaxy:gsma-motif="Search Open Websites/Domains"
Links |
(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Security Trails. (2019). Exploring Google Hacking Techniques. (3) Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. (4) Holtmanns, S. (2018). Secure Interworking Between Networks in 5G Service Based Architecture. ETSI Security Week 2018.[(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Security Trails. (2019). Exploring Google Hacking Techniques. (3) Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. (4) Holtmanns, S. (2018). Secure Interworking Between Networks in 5G Service Based Architecture. ETSI Security Week 2018.] |
Search Open Websites/Domains, Technique T1593 - Enterprise |
MITRE ATT&CK® GSMA Non-public materials[Search Open Websites/Domains, Technique T1593 - Enterprise |
MITRE ATT&CK® GSMA Non-public materials] |
Social Media
Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. Spearphishing Service)(1). Information from these sources may reveal opportunities for other forms of reconnaissance, establishing operational resources, and/or initial access. Social media sites may contain information about subscriber phone numbers, address etc, which can be used e.g. when installing false base stations in close vicinity of the victim. (2)
The tag is: misp-galaxy:gsma-motif="Social Media"
Links |
(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Equifax UK. (2022). The risks of sharing your location on social media.[(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Equifax UK. (2022). The risks of sharing your location on social media.] |
Search Open Websites/Domains: Social Media, Sub-technique T1593.001 - Enterprise |
MITRE ATT&CK®[Search Open Websites/Domains: Social Media, Sub-technique T1593.001 - Enterprise |
MITRE ATT&CK®] |
Adversary-in-the-Middle
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (1) (2). Adversaries may leverage the AiTM position to attempt to monitor traffic.
The tag is: misp-galaxy:gsma-motif="Adversary-in-the-Middle"
Links |
(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal.[(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal.] |
Adversary-in-the-Middle, Technique T1557 - Enterprise |
MITRE ATT&CK® Adversary-in-the-Middle |
MITRE FiGHT™ (FGT1557)[Adversary-in-the-Middle, Technique T1557 - Enterprise |
MITRE ATT&CK® Adversary-in-the-Middle |
MITRE FiGHT™ (FGT1557)] |
Radio Interface Authentication Relay
An adversary positions itself on the radio interface to capture information to and from the UE. Adversary can deploy a false base station as a back-to-back base station - UE combination to impersonate UE towards the real eNB or core network element (such as MME), and impersonate base station or core network element towards the target UE (1) (2).
The tag is: misp-galaxy:gsma-motif="Radio Interface Authentication Relay"
Links |
(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal. (1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal. https://labs.p1sec.com/2021/09/30/all-authentication-vectors-are-not-made-equal/ |
Adversary-in-the-Middle: Radio interface |
MITRE FiGHT™[Adversary-in-the-Middle: Radio interface |
MITRE FiGHT™] |
Supply Chain Compromise
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: • Manipulation of development tools • Manipulation of a development environment • Manipulation of source code repositories (public or private) • Manipulation of source code in open-source dependencies • Manipulation of software update/distribution mechanisms • Compromised/infected system images (multiple cases of removable media infected at the factory)(1) (2) • Replacement of legitimate software with modified versions • Sales of modified/counterfeit products to legitimate distributors • Shipment interdiction While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.
The tag is: misp-galaxy:gsma-motif="Supply Chain Compromise"
Links |
(1) The Register. (2023). Millions of mobile phones come pre-infected with Malware (2) Schneider Electric. (2018). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.[(1) The Register. (2023). Millions of mobile phones come pre-infected with Malware (2) Schneider Electric. (2018). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor.] |
Supply Chain Compromise, Technique T1195 - Enterprise |
MITRE ATT&CK®[Supply Chain Compromise, Technique T1195 - Enterprise |
MITRE ATT&CK®] |
Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
The tag is: misp-galaxy:gsma-motif="Compromise Software Supply Chain"
Links |
(1) The Register (2023). Millions of mobile phones come pre-infected with Malware[(1) The Register (2023). Millions of mobile phones come pre-infected with Malware] |
Supply Chain Compromise: Compromise Software Supply Chain, Sub- technique T1195.002 - Enterprise |
MITRE ATT&CK®[Supply Chain Compromise: Compromise Software Supply Chain, Sub- technique T1195.002 - Enterprise |
MITRE ATT&CK®] |
Network Function Service Discovery
An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF.
The tag is: misp-galaxy:gsma-motif="Network Function Service Discovery"
Links |
(1) R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield. (2021). Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK. (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield. (2021). Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK. (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem] |
Network Function Service Discovery |
MITRE FiGHT™ (FGT5003)[Network Function Service Discovery |
MITRE FiGHT™ (FGT5003)] |
Exploitation for Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
The tag is: misp-galaxy:gsma-motif="Exploitation for Credential Access"
Links |
(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem] |
Exploitation for Credential Access, Technique T1212 - Enterprise |
MITRE ATT&CK® https://fight.mitre.org/techniques/FGT5003/[Exploitation for Credential Access, Technique T1212 - Enterprise |
MITRE ATT&CK® https://fight.mitre.org/techniques/FGT5003/] |
Data Manipulation
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
The tag is: misp-galaxy:gsma-motif="Data Manipulation"
Links |
(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem] |
Data Manipulation, Technique T1565 - Enterprise |
MITRE ATT&CK® Data Manipulation |
MITRE FiGHT™ (FGT1565)[Data Manipulation, Technique T1565 - Enterprise |
MITRE ATT&CK® Data Manipulation |
MITRE FiGHT™ (FGT1565)] |
Stored Data Manipulation
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data
The tag is: misp-galaxy:gsma-motif="Stored Data Manipulation"
Links |
(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem[(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem] |
Data Manipulation: Stored Data Manipulation, Sub-technique T1565.001 - Enterprise |
MITRE ATT&CK®[Data Manipulation: Stored Data Manipulation, Sub-technique T1565.001 - Enterprise |
MITRE ATT&CK®] |
Human Layer Kill Chain
Human Layer Kill Chain (HKC) framework.
Human Layer Kill Chain is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Vasilis Katos - Jane Henriksen-Bulmer - Emily Rosenorn-Lanng - Ala Yankouskaya
Research dating platforms and identify vulnerable profiles
Research dating platforms and identify vulnerable profiles
The tag is: misp-galaxy:human-layer-kill-chain="Research dating platforms and identify vulnerable profiles"
Identify low value target/employee
Identify low value target/employee
The tag is: misp-galaxy:human-layer-kill-chain="Identify low value target/employee"
Analyse emotional vulnerabilities (recent loss, loneliness)
Analyse emotional vulnerabilities (recent loss, loneliness)
The tag is: misp-galaxy:human-layer-kill-chain="Analyse emotional vulnerabilities (recent loss, loneliness)"
Profile executives
Profile executives
The tag is: misp-galaxy:human-layer-kill-chain="Profile executives"
Create attractive fake profiles with stolen/deepfake photos
Create attractive fake profiles with stolen/deepfake photos
The tag is: misp-galaxy:human-layer-kill-chain="Create attractive fake profiles with stolen/deepfake photos"
Create spoofed email
Create spoofed email
The tag is: misp-galaxy:human-layer-kill-chain="Create spoofed email"
Initial contact and emotional connection
Initial contact and emotional connection
The tag is: misp-galaxy:human-layer-kill-chain="Initial contact and emotional connection"
Establish legitimacy
Establish legitimacy
The tag is: misp-galaxy:human-layer-kill-chain="Establish legitimacy"
Deploy urgency payment request
Deploy urgency payment request
The tag is: misp-galaxy:human-layer-kill-chain="Deploy urgency payment request"
Deliver ransomware note
Deliver ransomware note
The tag is: misp-galaxy:human-layer-kill-chain="Deliver ransomware note"
Build deep emotional dependency
Build deep emotional dependency
The tag is: misp-galaxy:human-layer-kill-chain="Build deep emotional dependency"
Payment negotiation
Payment negotiation
The tag is: misp-galaxy:human-layer-kill-chain="Payment negotiation"
Crypto payment support
Crypto payment support
The tag is: misp-galaxy:human-layer-kill-chain="Crypto payment support"
Request financial help with fabricated emergency
Request financial help with fabricated emergency
The tag is: misp-galaxy:human-layer-kill-chain="Request financial help with fabricated emergency"
Execute fund transfer
Execute fund transfer
The tag is: misp-galaxy:human-layer-kill-chain="Execute fund transfer"
Delete profile and online presence
Delete profile and online presence
The tag is: misp-galaxy:human-layer-kill-chain="Delete profile and online presence"
Intelligence Agencies
List of intelligence agencies.
Intelligence Agencies is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Graham87 - Frietjes - Narky Blert - Pkbwcgs - Girth Summit - InternetArchiveBot - AnomieBOT - GreenMeansGo - MusikBot - Trappist the monk
General Directorate of Intelligence
General Directorate of Intelligence (GDI) – د استخباراتو لوی ریاست
The tag is: misp-galaxy:intelligence-agency="General Directorate of Intelligence"
General Directorate of Intelligence is also known as:
-
د استخباراتو لوی ریاست
Links |
https://en.wikipedia.org/wiki/General_Directorate_of_Intelligence |
National Intelligence Service (Albania)
State Intelligence Service (SHISH) – Sherbimi Informativ Shteteror
The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Albania)"
National Intelligence Service (Albania) is also known as:
-
Sherbimi Informativ Shteteror
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Albania) |
Dirección de Observaciones Judiciales
Directorate of Judicial Surveillance (DOJ) – Dirección de Observaciones Judiciales
The tag is: misp-galaxy:intelligence-agency="Dirección de Observaciones Judiciales"
Links |
https://en.wikipedia.org/wiki/Direcci%C3%B3n_de_Observaciones_Judiciales |
Servicio Federal de Lucha contra el Narcotráfico
Federal Counternarcotics Service (SEFECONAR) – Servicio Federal de Lucha contra el Narcotráfico
The tag is: misp-galaxy:intelligence-agency="Servicio Federal de Lucha contra el Narcotráfico"
Links |
https://en.wikipedia.org/wiki/Servicio_Federal_de_Lucha_contra_el_Narcotr%C3%A1fico |
Inteligencia de la Gendarmería Nacional Argentina
Argentine National Gendarmerie Intelligence (SIGN) – Inteligencia de la Gendarmería Nacional Argentina
The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Gendarmería Nacional Argentina"
Links |
https://en.wikipedia.org/wiki/Inteligencia_de_la_Gendarmer%C3%ADa_Nacional_Argentina |
Dirección Nacional de Inteligencia Estratégica Militar
National Directorate of Strategic Military Intelligence (DNIEM) – Dirección Nacional de Inteligencia Estratégica Militar
The tag is: misp-galaxy:intelligence-agency="Dirección Nacional de Inteligencia Estratégica Militar"
Links |
https://en.wikipedia.org/wiki/Direcci%C3%B3n_Nacional_de_Inteligencia_Estrat%C3%A9gica_Militar |
Inteligencia del Servicio Penitenciario Federal
Federal Penitentiary Service Intelligence – Inteligencia del Servicio Penitenciario Federal
The tag is: misp-galaxy:intelligence-agency="Inteligencia del Servicio Penitenciario Federal"
Links |
https://en.wikipedia.org/wiki/Inteligencia_del_Servicio_Penitenciario_Federal |
Inteligencia de la Policía de Seguridad Aeroportuaria
Airport Security Police Intelligence – Inteligencia de la Policía de Seguridad Aeroportuaria
The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía de Seguridad Aeroportuaria"
Links |
https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_de_Seguridad_Aeroportuaria |
Dirección Nacional de Inteligencia Criminal
National Directorate of Criminal Intelligence (DNIC) – Dirección Nacional de Inteligencia Criminal
The tag is: misp-galaxy:intelligence-agency="Dirección Nacional de Inteligencia Criminal"
Links |
https://en.wikipedia.org/wiki/Direcci%C3%B3n_Nacional_de_Inteligencia_Criminal |
Inteligencia de la Policía Federal Argentina
Argentine Federal Police Intelligence – Inteligencia de la Policía Federal Argentina
The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía Federal Argentina"
Links |
https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_Federal_Argentina |
Inteligencia de la Policía Bonaerense
Buenos Aires Police Intelligence (SIPBA) (Buenos Aires Police Intelligence) – Inteligencia de la Policía Bonaerense
The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Policía Bonaerense"
Links |
https://en.wikipedia.org/wiki/Inteligencia_de_la_Polic%C3%ADa_Bonaerense |
Inteligencia de la Prefectura Naval Argentina
Argentine Naval Prefecture Intelligence (SIPN) – Inteligencia de la Prefectura Naval Argentina
The tag is: misp-galaxy:intelligence-agency="Inteligencia de la Prefectura Naval Argentina"
Links |
https://en.wikipedia.org/wiki/Inteligencia_de_la_Prefectura_Naval_Argentina |
Unidad de Inteligencia Financiera (Argentina)
Financial Intelligence Unit (UIF) – Unidad de Inteligencia Financiera
The tag is: misp-galaxy:intelligence-agency="Unidad de Inteligencia Financiera (Argentina)"
Unidad de Inteligencia Financiera (Argentina) is also known as:
-
Unidad de Inteligencia Financiera
Links |
https://en.wikipedia.org/wiki/Unidad_de_Inteligencia_Financiera_(Argentina) |
Central de Reunión de Inteligencia Militar
Military Intelligence Collection Center (CRIM) – Central de Reunión de Inteligencia Militar
The tag is: misp-galaxy:intelligence-agency="Central de Reunión de Inteligencia Militar"
Links |
https://en.wikipedia.org/wiki/Central_de_Reuni%C3%B3n_de_Inteligencia_Militar |
Servicio de Inteligencia del Ejército (Argentina)
Army Intelligence Service (SIE) – Servicio de Inteligencia del Ejército
The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia del Ejército (Argentina)"
Servicio de Inteligencia del Ejército (Argentina) is also known as:
-
Servicio de Inteligencia del Ejército
Links |
https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_del_Ej%C3%A9rcito_(Argentina) |
Servicio de Inteligencia Naval (Argentina)
Naval Intelligence Service (SIN) – Servicio de Inteligencia Naval
The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia Naval (Argentina)"
Servicio de Inteligencia Naval (Argentina) is also known as:
-
Servicio de Inteligencia Naval
Links |
https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_Naval_(Argentina) |
Servicio de Inteligencia de la Fuerza Aérea (Argentina)
Air Force Intelligence Service (SIFA) – Servicio de Inteligencia de la Fuerza Aérea
The tag is: misp-galaxy:intelligence-agency="Servicio de Inteligencia de la Fuerza Aérea (Argentina)"
Servicio de Inteligencia de la Fuerza Aérea (Argentina) is also known as:
-
Servicio de Inteligencia de la Fuerza Aérea
Links |
https://en.wikipedia.org/wiki/Servicio_de_Inteligencia_de_la_Fuerza_A%C3%A9rea_(Argentina) |
National Security Service (Armenia)
National Security Service (NSS)
The tag is: misp-galaxy:intelligence-agency="National Security Service (Armenia)"
Links |
https://en.wikipedia.org/wiki/National_Security_Service_(Armenia) |
Australian Security Intelligence Organisation
Australian Security Intelligence Organisation (ASIO)
The tag is: misp-galaxy:intelligence-agency="Australian Security Intelligence Organisation"
Links |
https://en.wikipedia.org/wiki/Australian_Security_Intelligence_Organisation |
Australian Secret Intelligence Service
Australian Secret Intelligence Service (ASIS)
The tag is: misp-galaxy:intelligence-agency="Australian Secret Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Australian_Secret_Intelligence_Service |
Australian Signals Directorate
Australian Signals Directorate (ASD)
The tag is: misp-galaxy:intelligence-agency="Australian Signals Directorate"
Links |
https://en.wikipedia.org/wiki/Australian_Signals_Directorate |
Australian Geospatial-Intelligence Organisation
Australian Geospatial-Intelligence Organisation (AGO)
The tag is: misp-galaxy:intelligence-agency="Australian Geospatial-Intelligence Organisation"
Links |
https://en.wikipedia.org/wiki/Australian_Geospatial-Intelligence_Organisation |
Defence Intelligence Organisation
Defence Intelligence Organisation (DIO)
The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Organisation"
Links |
https://en.wikipedia.org/wiki/Defence_Intelligence_Organisation |
Office of National Intelligence (Australia)
Office of National Intelligence (ONI)
The tag is: misp-galaxy:intelligence-agency="Office of National Intelligence (Australia)"
Links |
https://en.wikipedia.org/wiki/Office_of_National_Intelligence_(Australia) |
Heeresnachrichtenamt
Heeresnachrichtenamt (HNA): Army Intelligence Office
The tag is: misp-galaxy:intelligence-agency="Heeresnachrichtenamt"
Heeresnachrichtenamt is also known as:
-
Army Intelligence Office
Links |
Ministry of Defence (Austria)
Abwehramt (AbwA): Counter-Intelligence Office [2]
The tag is: misp-galaxy:intelligence-agency="Ministry of Defence (Austria)"
Ministry of Defence (Austria) is also known as:
-
Counter-Intelligence Office
Links |
https://en.wikipedia.org/wiki/Ministry_of_Defence_(Austria)#Subordinate_departments |
State Security and Intelligence Directorate
Direktion Staatsschutz und Nachrichtendienst (DSN): State Security and Intelligence Directorate
The tag is: misp-galaxy:intelligence-agency="State Security and Intelligence Directorate"
Links |
https://en.wikipedia.org/wiki/State_Security_and_Intelligence_Directorate |
State Security Service of the Republic of Azerbaijan
State Security Service (Dövlət Təhlükəsizliyi Xidməti)
The tag is: misp-galaxy:intelligence-agency="State Security Service of the Republic of Azerbaijan"
Links |
https://en.wikipedia.org/wiki/State_Security_Service_of_the_Republic_of_Azerbaijan |
Foreign Intelligence Service (Azerbaijan)
Foreign Intelligence Service (Xarici Kəşfiyyat Xidməti)
The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Azerbaijan)"
Links |
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Azerbaijan) |
Financial Monitoring Service (Azerbaijan)
Financial Monitoring Service (Maliyyə Monitorinqi Xidməti)
The tag is: misp-galaxy:intelligence-agency="Financial Monitoring Service (Azerbaijan)"
Links |
https://en.wikipedia.org/wiki/Financial_Monitoring_Service_(Azerbaijan) |
Special Branch (Bahamas)
Security and Intelligence Branch (SIB)
The tag is: misp-galaxy:intelligence-agency="Special Branch (Bahamas)"
Links |
Financial Intelligence Unit (Bahamas)
Financial Intelligence Unit (FIU)
The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Bahamas)"
Links |
National Crime Intelligence Agency (NCIA)
National Crime Intelligence Agency (NCIA)
The tag is: misp-galaxy:intelligence-agency="National Crime Intelligence Agency (NCIA)"
National Security Agency (Bahrain)
NSA – National Security Agency
The tag is: misp-galaxy:intelligence-agency="National Security Agency (Bahrain)"
Links |
https://en.wikipedia.org/wiki/National_Security_Agency_(Bahrain) |
National Committee for Intelligence Coordination
National Committee for Intelligence Coordination
The tag is: misp-galaxy:intelligence-agency="National Committee for Intelligence Coordination"
Links |
https://en.wikipedia.org/wiki/National_Committee_for_Intelligence_Coordination |
National Security Intelligence
National Security Intelligence (NSI)
The tag is: misp-galaxy:intelligence-agency="National Security Intelligence"
Links |
https://en.wikipedia.org/wiki/National_Security_Intelligence |
Special Security Force
Special Security Force – Intelligence Bureau (SSF-IB)
The tag is: misp-galaxy:intelligence-agency="Special Security Force"
Links |
National Security Affairs Cell
National Security Affairs Cell[3]
The tag is: misp-galaxy:intelligence-agency="National Security Affairs Cell"
Links |
https://en.wikipedia.org/wiki/National_Security_Affairs_Cell |
Special Branch, Bangladesh Police
Special Branch (SB)
The tag is: misp-galaxy:intelligence-agency="Special Branch, Bangladesh Police"
Links |
https://en.wikipedia.org/wiki/Special_Branch,_Bangladesh_Police |
Detective Branch, Bangladesh Police
Detective Branch (DB)
The tag is: misp-galaxy:intelligence-agency="Detective Branch, Bangladesh Police"
Links |
https://en.wikipedia.org/wiki/Detective_Branch,_Bangladesh_Police |
Police Bureau of Investigation
Police Bureau of Investigation (PBI)
The tag is: misp-galaxy:intelligence-agency="Police Bureau of Investigation"
Links |
https://en.wikipedia.org/wiki/Police_Bureau_of_Investigation |
Criminal Investigation Department (Bangladesh)
Criminal Investigation Department (CID)
The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Bangladesh)"
Links |
https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Bangladesh) |
Counter Terrorism and Transnational Crime
Counter Terrorism and Transnational Crime (CTTC)
The tag is: misp-galaxy:intelligence-agency="Counter Terrorism and Transnational Crime"
Links |
https://en.wikipedia.org/wiki/Counter_Terrorism_and_Transnational_Crime |
Rapid Action Battalion
Rapid Action Battalion – Intelligence Wing (RAB-IW)
The tag is: misp-galaxy:intelligence-agency="Rapid Action Battalion"
Links |
Directorate General of Forces Intelligence
Directorate General of Forces Intelligence (DGFI)
The tag is: misp-galaxy:intelligence-agency="Directorate General of Forces Intelligence"
Links |
https://en.wikipedia.org/wiki/Directorate_General_of_Forces_Intelligence |
Counter Terrorism and Intelligence Bureau
Counter Terrorism and Intelligence Bureau (CTIB)
The tag is: misp-galaxy:intelligence-agency="Counter Terrorism and Intelligence Bureau"
Links |
https://en.wikipedia.org/wiki/Counter_Terrorism_and_Intelligence_Bureau |
National Telecommunication Monitoring Centre
National Telecommunication Monitoring Centre (NTMC)
The tag is: misp-galaxy:intelligence-agency="National Telecommunication Monitoring Centre"
Links |
https://en.wikipedia.org/wiki/National_Telecommunication_Monitoring_Centre |
National Board of Revenue
Central Intelligence Unit (CIU)
The tag is: misp-galaxy:intelligence-agency="National Board of Revenue"
Links |
Bangladesh Financial Intelligence Unit
Bangladesh Financial Intelligence Unit (BFIU)
The tag is: misp-galaxy:intelligence-agency="Bangladesh Financial Intelligence Unit"
Links |
https://en.wikipedia.org/wiki/Bangladesh_Financial_Intelligence_Unit |
Digital Security Agency
Digital Security Agency
The tag is: misp-galaxy:intelligence-agency="Digital Security Agency"
Links |
Financial Intelligence Unit (Barbados)
Financial Intelligence Unit (FIU)
The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Barbados)"
Links |
Criminal Investigations Department
Criminal Investigations Department (CID)
The tag is: misp-galaxy:intelligence-agency="Criminal Investigations Department"
Links |
https://en.wikipedia.org/wiki/Criminal_Investigations_Department |
State Security Committee of the Republic of Belarus
State Security Committee of the Republic of Belarus (KDB/KGB) (State Security Committee)
The tag is: misp-galaxy:intelligence-agency="State Security Committee of the Republic of Belarus"
Links |
https://en.wikipedia.org/wiki/State_Security_Committee_of_the_Republic_of_Belarus |
Belgian State Security Service
VSSE (State Security Service)
The tag is: misp-galaxy:intelligence-agency="Belgian State Security Service"
Links |
https://en.wikipedia.org/wiki/Belgian_State_Security_Service |
Belgian General Information and Security Service
ADIV / SGRS (ADIV/SGRS) (General Intelligence and Security Service, military intelligence)
The tag is: misp-galaxy:intelligence-agency="Belgian General Information and Security Service"
Links |
https://en.wikipedia.org/wiki/Belgian_General_Information_and_Security_Service |
Intelligence-Security Agency of Bosnia and Herzegovina
Intelligence-Security Agency of Bosnia and Herzegovina (OSA)
The tag is: misp-galaxy:intelligence-agency="Intelligence-Security Agency of Bosnia and Herzegovina"
Links |
https://en.wikipedia.org/wiki/Intelligence-Security_Agency_of_Bosnia_and_Herzegovina |
Državna Agencija za Istrage i Zaštitu
Državna Agencija za Istrage i Zaštitu (State Investigation and Protection Agency, SIPA)
The tag is: misp-galaxy:intelligence-agency="Državna Agencija za Istrage i Zaštitu"
Links |
https://en.wikipedia.org/wiki/Dr%C5%BEavna_Agencija_za_Istrage_i_Za%C5%A1titu |
Directorate of Intelligence and Security
Directorate on Intelligence and Security Services (DISS – Ministry of State President Espionage & Counter Intelligence unit)
The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence and Security"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Intelligence_and_Security |
Brazilian Intelligence Agency
Brazilian Intelligence Agency (ABIN)
The tag is: misp-galaxy:intelligence-agency="Brazilian Intelligence Agency"
Links |
Federal Police Department
Federal Police Department (DPF) (counterintelligence agency)
The tag is: misp-galaxy:intelligence-agency="Federal Police Department"
Links |
Institutional Security Bureau
Gabinete de Segurança Institucional (Institutional Security Bureau) (GSI) Responds directly to the president’s office and the armed forces. Coordinates some intelligence operations.
The tag is: misp-galaxy:intelligence-agency="Institutional Security Bureau"
Links |
Secretaria da Receita Federal do Brasil
Secretaria da Receita Federal do Brasil (Federal Revenue Secretariat) (RFB) (General Coordination for Research and Investigations - Coordenação-Geral de Pesquisa e Investigação - Copei)
The tag is: misp-galaxy:intelligence-agency="Secretaria da Receita Federal do Brasil"
Links |
https://en.wikipedia.org/wiki/Secretaria_da_Receita_Federal_do_Brasil |
Internal Security Department (Brunei)
Internal Security Department (Brunei)[4] (internal)
The tag is: misp-galaxy:intelligence-agency="Internal Security Department (Brunei)"
Links |
https://en.wikipedia.org/wiki/Internal_Security_Department_(Brunei) |
National Intelligence Service (Bulgaria)
State Intelligence Agency (Държавна агенция „Разузнаване“ (DAR)) – overseas intelligence gathering service under the supervision of the Council of Ministers of Bulgaria
The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Bulgaria)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Bulgaria) |
State Agency for National Security
State Agency for National Security (Държавна агенция за национална сигурност (DANS)) – national security service under the supervision of the Council of Ministers of Bulgaria
The tag is: misp-galaxy:intelligence-agency="State Agency for National Security"
Links |
https://en.wikipedia.org/wiki/State_Agency_for_National_Security |
National Intelligence Service (Burundi)
Service national de renseignement (SNR)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Burundi)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Burundi) |
Canadian Security Intelligence Service
Canadian Security Intelligence Service (CSIS)
The tag is: misp-galaxy:intelligence-agency="Canadian Security Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Canadian_Security_Intelligence_Service |
Communications Security Establishment Canada
Communications Security Establishment (CSE)
The tag is: misp-galaxy:intelligence-agency="Communications Security Establishment Canada"
Links |
https://en.wikipedia.org/wiki/Communications_Security_Establishment_Canada |
Canadian Forces Military Police
Canadian Forces National Counter-Intelligence Unit (DND) operated by the Canadian Forces Military Police Group
The tag is: misp-galaxy:intelligence-agency="Canadian Forces Military Police"
Links |
https://en.wikipedia.org/wiki/Canadian_Forces_Military_Police |
Joint Task Force X
Joint Task Force X
The tag is: misp-galaxy:intelligence-agency="Joint Task Force X"
Criminal Intelligence Service Canada
Criminal Intelligence Service Canada (CISC)
The tag is: misp-galaxy:intelligence-agency="Criminal Intelligence Service Canada"
Links |
https://en.wikipedia.org/wiki/Criminal_Intelligence_Service_Canada |
Intelligence Branch
Intelligence Branch
The tag is: misp-galaxy:intelligence-agency="Intelligence Branch"
Links |
Financial Transactions and Reports Analysis Centre of Canada
Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
The tag is: misp-galaxy:intelligence-agency="Financial Transactions and Reports Analysis Centre of Canada"
Links |
https://en.wikipedia.org/wiki/Financial_Transactions_and_Reports_Analysis_Centre_of_Canada |
Global Affairs Canada
Global Affairs Canada (GAC) Bureau of Intelligence Analysis and Security and Bureau of Economic Intelligence
The tag is: misp-galaxy:intelligence-agency="Global Affairs Canada"
Links |
Royal Canadian Mounted Police
Royal Canadian Mounted Police (RCMP) Intelligence Division
The tag is: misp-galaxy:intelligence-agency="Royal Canadian Mounted Police"
Links |
Canada Border Services Agency
Canada Border Services Agency (CBSA) Immigrations Intelligence
The tag is: misp-galaxy:intelligence-agency="Canada Border Services Agency"
Links |
Canadian Coast Guard
Canadian Coast Guard (CCG)
The tag is: misp-galaxy:intelligence-agency="Canadian Coast Guard"
Links |
Agence nationale de sécurité
Agence nationale de sécurité (ANS)
The tag is: misp-galaxy:intelligence-agency="Agence nationale de sécurité"
Links |
https://en.wikipedia.org/wiki/Agence_nationale_de_s%C3%A9curit%C3%A9 |
Agencia Nacional de Inteligencia
National Intelligence Agency (ANI) – Agencia Nacional de Inteligencia
The tag is: misp-galaxy:intelligence-agency="Agencia Nacional de Inteligencia"
Links |
https://en.wikipedia.org/wiki/Agencia_Nacional_de_Inteligencia |
610 Office
610 Office
The tag is: misp-galaxy:intelligence-agency="610 Office"
Links |
International Liaison Department of the Chinese Communist Party
International Department (ID)
The tag is: misp-galaxy:intelligence-agency="International Liaison Department of the Chinese Communist Party"
Links |
https://en.wikipedia.org/wiki/International_Liaison_Department_of_the_Chinese_Communist_Party |
United Front Work Department
United Front Work Department (UFWD)
The tag is: misp-galaxy:intelligence-agency="United Front Work Department"
Links |
Joint Staff Department of the Central Military Commission Intelligence Bureau
Intelligence Bureau of the General Staff aka 2nd Bureau
The tag is: misp-galaxy:intelligence-agency="Joint Staff Department of the Central Military Commission Intelligence Bureau"
Links |
People’s Liberation Army Air Force
People’s Liberation Army Air Force (PLAAF)
The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army Air Force"
Links |
https://en.wikipedia.org/wiki/People%27s_Liberation_Army_Air_Force |
People’s Liberation Army General Political Department
People’s Liberation Army General Political Department (GND)
The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army General Political Department"
Links |
https://en.wikipedia.org/wiki/People%27s_Liberation_Army_General_Political_Department |
People’s Liberation Army General Staff Department
People’s Liberation Army General Staff Department (GSD)
The tag is: misp-galaxy:intelligence-agency="People’s Liberation Army General Staff Department"
Links |
https://en.wikipedia.org/wiki/People%27s_Liberation_Army_General_Staff_Department |
PLA Unit 61398
PLA Unit 61398 aka APT 1
The tag is: misp-galaxy:intelligence-agency="PLA Unit 61398"
Links |
State Administration of Foreign Experts Affairs
State Administration of Foreign Experts Affairs (SAFEA)
The tag is: misp-galaxy:intelligence-agency="State Administration of Foreign Experts Affairs"
Links |
https://en.wikipedia.org/wiki/State_Administration_of_Foreign_Experts_Affairs |
Ministry of Public Security (China)
Ministry of Public Security (MPS)
The tag is: misp-galaxy:intelligence-agency="Ministry of Public Security (China)"
Links |
https://en.wikipedia.org/wiki/Ministry_of_Public_Security_(China) |
Ministry of State Security (China)
Ministry of State Security (MSS)
The tag is: misp-galaxy:intelligence-agency="Ministry of State Security (China)"
Links |
https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China) |
Office for Safeguarding National Security of the CPG in the HKSAR
Office for Safeguarding National Security of the CPG in the HKSAR (CPGNSO)
The tag is: misp-galaxy:intelligence-agency="Office for Safeguarding National Security of the CPG in the HKSAR"
Links |
https://en.wikipedia.org/wiki/Office_for_Safeguarding_National_Security_of_the_CPG_in_the_HKSAR |
National Intelligence Directorate (Colombia)
Dirección Nacional de Inteligencia (DNI)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Directorate (Colombia)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Directorate_(Colombia) |
National Intelligence Agency (Democratic Republic of the Congo)
National Intelligence Agency (ANR)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Democratic Republic of the Congo)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Democratic_Republic_of_the_Congo) |
DEMIAP
General Staff of Military intelligence (ex-DEMIAP)
The tag is: misp-galaxy:intelligence-agency="DEMIAP"
Links |
Security and Intelligence Agency
Sigurnosno-obavještajna agencija (SOA) (Security and Intelligence Agency)
The tag is: misp-galaxy:intelligence-agency="Security and Intelligence Agency"
Links |
https://en.wikipedia.org/wiki/Security_and_Intelligence_Agency |
Vojna sigurnosno-obavještajna agencija
Vojna sigurnosno-obavještajna agencija (VSOA) (Military Security and Intelligence Agency)
The tag is: misp-galaxy:intelligence-agency="Vojna sigurnosno-obavještajna agencija"
Links |
https://en.wikipedia.org/wiki/Vojna_sigurnosno-obavje%C5%A1tajna_agencija |
Dirección de Contra-Inteligencia Militar
Military Counterintelligence Directorate
The tag is: misp-galaxy:intelligence-agency="Dirección de Contra-Inteligencia Militar"
Links |
https://en.wikipedia.org/wiki/Direcci%C3%B3n_de_Contra-Inteligencia_Militar |
Intelligence Directorate
Dirección General de Inteligencia (DGI)
The tag is: misp-galaxy:intelligence-agency="Intelligence Directorate"
Links |
Cyprus Intelligence Service
Cyprus Intelligence Service (CIS) (Κυπριακή Υπηρεσία Πληροφοριών)(ΚΥΠ), (former Central Intelligence Service-KYP)
The tag is: misp-galaxy:intelligence-agency="Cyprus Intelligence Service"
Links |
Security Information Service
Security Information Service (Bezpečnostní informační služba, BIS)
The tag is: misp-galaxy:intelligence-agency="Security Information Service"
Links |
Office for Foreign Relations and Information
Office for Foreign Relations and Information (Úřad pro zahraniční styky a informace, ÚZSI)
The tag is: misp-galaxy:intelligence-agency="Office for Foreign Relations and Information"
Links |
https://en.wikipedia.org/wiki/Office_for_Foreign_Relations_and_Information |
Military Intelligence (Czech Republic)
Military Intelligence (Vojenské zpravodajství, VZ)
The tag is: misp-galaxy:intelligence-agency="Military Intelligence (Czech Republic)"
Links |
https://en.wikipedia.org/wiki/Military_Intelligence_(Czech_Republic) |
Danish Security and Intelligence Service
Danish Security and Intelligence Service (Politiets Efterretningstjeneste (PET)).
The tag is: misp-galaxy:intelligence-agency="Danish Security and Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Danish_Security_and_Intelligence_Service |
Danish Defence Intelligence Service
Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste (FE)).
The tag is: misp-galaxy:intelligence-agency="Danish Defence Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Danish_Defence_Intelligence_Service |
Army Intelligence Center
Army Intelligence Center (Efterretningsregimentet (EFR)).
The tag is: misp-galaxy:intelligence-agency="Army Intelligence Center"
Links |
Egyptian General Intelligence Directorate
Gihaz al-Mukhabarat al-Amma (GIS) (General Intelligence Service)
The tag is: misp-galaxy:intelligence-agency="Egyptian General Intelligence Directorate"
Links |
https://en.wikipedia.org/wiki/Egyptian_General_Intelligence_Directorate |
Military intelligence and reconnaissance (Egypt)
Idarat al-Mukhabarat al-Harbyya wa al-Istitla (OMIR) (Office of Military Intelligence and Reconnaissance)
The tag is: misp-galaxy:intelligence-agency="Military intelligence and reconnaissance (Egypt)"
Links |
https://en.wikipedia.org/wiki/Military_intelligence_and_reconnaissance_(Egypt) |
Egyptian Homeland security
Al-amn al-Watani (HS) (Homeland Security)
The tag is: misp-galaxy:intelligence-agency="Egyptian Homeland security"
Links |
National Security Office (Eritrea)
National Security Office
The tag is: misp-galaxy:intelligence-agency="National Security Office (Eritrea)"
Links |
https://en.wikipedia.org/wiki/National_Security_Office_(Eritrea) |
Estonian Internal Security Service
Estonian Internal Security Service (KaPo) (Kaitsepolitseiamet)
The tag is: misp-galaxy:intelligence-agency="Estonian Internal Security Service"
Estonian Internal Security Service is also known as:
-
Kaitsepolitseiamet
Links |
https://en.wikipedia.org/wiki/Estonian_Internal_Security_Service |
Estonian Foreign Intelligence Service
Estonian Foreign Intelligence Service (VLA) (Välisluureamet)
The tag is: misp-galaxy:intelligence-agency="Estonian Foreign Intelligence Service"
Estonian Foreign Intelligence Service is also known as:
-
VLA
-
Välisluureamet
Links |
https://en.wikipedia.org/wiki/Estonian_Foreign_Intelligence_Service |
National Intelligence and Security Service (Ethiopia)
National Intelligence and Security Service (NISS)
The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Ethiopia)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Service_(Ethiopia) |
Finnish Defence Intelligence Agency
Finnish Defence Intelligence Agency – Puolustusvoimien tiedustelulaitos (PVTIEDL) / Försvarsmaktens underrättelsetjänst
The tag is: misp-galaxy:intelligence-agency="Finnish Defence Intelligence Agency"
Finnish Defence Intelligence Agency is also known as:
-
Puolustusvoimien tiedustelulaitos (PVTIEDL)
-
Försvarsmaktens underrättelsetjänst
Links |
https://en.wikipedia.org/wiki/Finnish_Defence_Intelligence_Agency |
Intelligence Division (Finland)
Defense Command Intelligence Division – Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)
The tag is: misp-galaxy:intelligence-agency="Intelligence Division (Finland)"
Intelligence Division (Finland) is also known as:
-
Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)
Links |
https://en.wikipedia.org/wiki/Intelligence_Division_(Finland) |
Finnish Security Intelligence Service
Finnish Security Intelligence Service (SUPO) – Suojelupoliisi / Skyddspolisen
The tag is: misp-galaxy:intelligence-agency="Finnish Security Intelligence Service"
Finnish Security Intelligence Service is also known as:
-
Suojelupoliisi / Skyddspolisen
Links |
https://en.wikipedia.org/wiki/Finnish_Security_Intelligence_Service |
National Centre for Counter Terrorism
National Centre for Counter Terrorism (CNRLT, Coordination nationale du renseignement et de la lutte contre le terrorisme)
The tag is: misp-galaxy:intelligence-agency="National Centre for Counter Terrorism"
National Centre for Counter Terrorism is also known as:
-
Coordination nationale du renseignement et de la lutte contre le terrorisme
Links |
https://en.wikipedia.org/wiki/National_Centre_for_Counter_Terrorism |
General Directorate for Internal Security
General Directorate for Internal Security (DGSI; Direction générale de la sécurité intérieure) – Domestic counter-terrorism and counter-espionage intelligence.
The tag is: misp-galaxy:intelligence-agency="General Directorate for Internal Security"
General Directorate for Internal Security is also known as:
-
Direction générale de la sécurité intérieure
Links |
https://en.wikipedia.org/wiki/General_Directorate_for_Internal_Security |
direction nationale du renseignement territorial (DNRT)
direction nationale du renseignement territorial (DNRT)
The tag is: misp-galaxy:intelligence-agency="direction nationale du renseignement territorial (DNRT)"
direction nationale du renseignement territorial (DNRT) is also known as:
-
direction nationale du renseignement territorial
Sous-direction anti-terroriste (SDAT)
Sous-direction anti-terroriste (SDAT)
The tag is: misp-galaxy:intelligence-agency="Sous-direction anti-terroriste (SDAT)"
Sous-direction anti-terroriste (SDAT) is also known as:
-
Sous-direction anti-terroriste
Directorate-General for External Security
Directorate-General for External Security (DGSE; Direction générale de la sécurité extérieure) – Foreign intelligence relating to national security.
The tag is: misp-galaxy:intelligence-agency="Directorate-General for External Security"
Directorate-General for External Security is also known as:
-
Direction générale de la sécurité extérieure
Links |
https://en.wikipedia.org/wiki/Directorate-General_for_External_Security |
DRSD
Direction du Renseignement et de la Sécurité de la Défense (DRSD; Direction du Renseignement et de la Sécurité de la Défense) – Foreign intelligence relating to national security.
The tag is: misp-galaxy:intelligence-agency="DRSD"
DRSD is also known as:
-
Direction du Renseignement et de la Sécurité de la Défense
Links |
Direction du renseignement militaire
Directorate of Military Intelligence (DRM; Direction du renseignement militaire) – Military intelligence.
The tag is: misp-galaxy:intelligence-agency="Direction du renseignement militaire"
Links |
https://en.wikipedia.org/wiki/Direction_du_renseignement_militaire |
Tracfin
Tracfin
The tag is: misp-galaxy:intelligence-agency="Tracfin"
Links |
Direction Nationale du Renseignement et des Enquêtes Douanières
Direction Nationale du Renseignement et des Enquêtes Douanières (DNRED)
The tag is: misp-galaxy:intelligence-agency="Direction Nationale du Renseignement et des Enquêtes Douanières"
Links |
State Intelligence Services (the Gambia)
State Intelligence Services (the Gambia) (SIS)
The tag is: misp-galaxy:intelligence-agency="State Intelligence Services (the Gambia)"
Links |
https://en.wikipedia.org/wiki/State_Intelligence_Services_(the_Gambia) |
State Security Service (Georgia)
State Security Service (SSSG) − სახელმწიფო უშიშროების სამსახური
The tag is: misp-galaxy:intelligence-agency="State Security Service (Georgia)"
State Security Service (Georgia) is also known as:
-
სახელმწიფო უშიშროების სამსახური
Links |
https://en.wikipedia.org/wiki/State_Security_Service_(Georgia) |
Georgian Intelligence Service
Georgian Intelligence Service (GIS) − საქართველოს დაზვერვის სამსახური
The tag is: misp-galaxy:intelligence-agency="Georgian Intelligence Service"
Georgian Intelligence Service is also known as:
-
საქართველოს დაზვერვის სამსახური
Links |
Military Intelligence Department
Military Intelligence Department
The tag is: misp-galaxy:intelligence-agency="Military Intelligence Department"
Bundesnachrichtendienst
Bundesnachrichtendienst (BND): Federal Intelligence Service
The tag is: misp-galaxy:intelligence-agency="Bundesnachrichtendienst"
Bundesnachrichtendienst is also known as:
-
Federal Intelligence Service
Links |
Bundesamt für Verfassungsschutz
Bundesamt für Verfassungsschutz (BfV): Federal Office for the Protection of the Constitution
The tag is: misp-galaxy:intelligence-agency="Bundesamt für Verfassungsschutz"
Bundesamt für Verfassungsschutz is also known as:
-
Federal Office for the Protection of the Constitution
Links |
https://en.wikipedia.org/wiki/Bundesamt_f%C3%BCr_Verfassungsschutz |
Federal Office for Information Security
Bundesamt für Sicherheit in der Informationstechnik (BSI): Federal Office for Information Security
The tag is: misp-galaxy:intelligence-agency="Federal Office for Information Security"
Links |
https://en.wikipedia.org/wiki/Federal_Office_for_Information_Security |
Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology
Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology
The tag is: misp-galaxy:intelligence-agency="Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology"
Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology is also known as:
-
Center for information and communication technology
Militärischer Abschirmdienst
Militärischer Abschirmdienst (MAD): Military Counterintelligence Service
The tag is: misp-galaxy:intelligence-agency="Militärischer Abschirmdienst"
Militärischer Abschirmdienst is also known as:
-
Military Counterintelligence Service
Links |
https://en.wikipedia.org/wiki/Milit%C3%A4rischer_Abschirmdienst |
State Authority for the Protection of the Constitution
Landesamt für Verfassungsschutz (LfV): (semi-independent) State Authority for the Protection of the Constitution for every single state
The tag is: misp-galaxy:intelligence-agency="State Authority for the Protection of the Constitution"
Links |
https://en.wikipedia.org/wiki/State_Authority_for_the_Protection_of_the_Constitution |
Bureau of National Investigations
Bureau of National Investigations (BNI) – (Internal Intelligence Agency)
The tag is: misp-galaxy:intelligence-agency="Bureau of National Investigations"
Links |
https://en.wikipedia.org/wiki/Bureau_of_National_Investigations |
National Intelligence Service (Greece)
National Intelligence Service (ΕΥΠ) – Εθνική Υπηρεσία Πληροφοριών
The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Greece)"
National Intelligence Service (Greece) is also known as:
-
Εθνική Υπηρεσία Πληροφοριών
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Greece) |
E Division – Intelligence Division
E Division – Intelligence Division
The tag is: misp-galaxy:intelligence-agency="E Division – Intelligence Division"
National Intelligence and Security Agency (NISA)[6][7][8][9]
National Intelligence and Security Agency (NISA)[6][7][8][9]
The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Agency (NISA)[6][7][8][9]"
Links |
Service d’Intelligence National
Service d’Intelligence National (SIN) (National Intelligence Service)
The tag is: misp-galaxy:intelligence-agency="Service d’Intelligence National"
Links |
https://en.wikipedia.org/wiki/Service_d%27Intelligence_National |
Információs Hivatal
Információs Hivatal (IH) (Information Office)
The tag is: misp-galaxy:intelligence-agency="Információs Hivatal"
Links |
Nemzetbiztonsági Hivatal
Alkotmányvédelmi Hivatal (AH) (Constitution Protection Office)
The tag is: misp-galaxy:intelligence-agency="Nemzetbiztonsági Hivatal"
Links |
Terrorelhárítási Központ
Terrorelhárítási Központ (TEK) (Counter Terrorism Centre)
The tag is: misp-galaxy:intelligence-agency="Terrorelhárítási Központ"
Links |
https://en.wikipedia.org/wiki/Terrorelh%C3%A1r%C3%ADt%C3%A1si_K%C3%B6zpont |
Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)
Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)
The tag is: misp-galaxy:intelligence-agency="Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)"
Nemzeti Információs Központ (NIK) (National Information Center)
Nemzeti Információs Központ (NIK) (National Information Center)
The tag is: misp-galaxy:intelligence-agency="Nemzeti Információs Központ (NIK) (National Information Center)"
Icelandic Police
The National Police Commissioner’s Analysis Unit – Greiningardeild Ríkislögreglustjóra (GRLS)
The tag is: misp-galaxy:intelligence-agency="Icelandic Police"
Links |
https://en.wikipedia.org/wiki/Icelandic_Police#The_Icelandic_Intelligence_Service |
Icelandic Crisis Response Unit
Icelandic Defense Agency’s Analysis Unit – Greiningardeild Varnarmálastofnunar Íslands (GVMSÍ) (Defunct)
The tag is: misp-galaxy:intelligence-agency="Icelandic Crisis Response Unit"
Links |
https://en.wikipedia.org/wiki/Icelandic_Crisis_Response_Unit#Intelligence_gathering |
Research and Analysis Wing
Research and Analysis Wing (R&AW)
The tag is: misp-galaxy:intelligence-agency="Research and Analysis Wing"
Links |
Intelligence Bureau (India)
Intelligence Bureau (IB)
The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (India)"
Links |
National Investigation Agency
National Investigation Agency[10]
The tag is: misp-galaxy:intelligence-agency="National Investigation Agency"
Links |
National Technical Research Organisation
National Technical Research Organisation (NTRO)[10]
The tag is: misp-galaxy:intelligence-agency="National Technical Research Organisation"
Links |
https://en.wikipedia.org/wiki/National_Technical_Research_Organisation |
Directorate of Revenue Intelligence
Directorate of Revenue Intelligence
The tag is: misp-galaxy:intelligence-agency="Directorate of Revenue Intelligence"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Revenue_Intelligence |
Ministry of Finance (India)
Economic Intelligence Council
The tag is: misp-galaxy:intelligence-agency="Ministry of Finance (India)"
Links |
Enforcement Directorate
Enforcement Directorate
The tag is: misp-galaxy:intelligence-agency="Enforcement Directorate"
Links |
Directorate General of GST Intelligence
Directorate General of GST Intelligence (DGGI)[11]
The tag is: misp-galaxy:intelligence-agency="Directorate General of GST Intelligence"
Links |
https://en.wikipedia.org/wiki/Directorate_General_of_GST_Intelligence |
Indian Army
Directorate of Military Intelligence
The tag is: misp-galaxy:intelligence-agency="Indian Army"
Links |
Directorate of Air Intelligence (India)
Directorate of Air Intelligence
The tag is: misp-galaxy:intelligence-agency="Directorate of Air Intelligence (India)"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Air_Intelligence_(India) |
Directorate of Naval Intelligence (India)
Directorate of Naval Intelligence
The tag is: misp-galaxy:intelligence-agency="Directorate of Naval Intelligence (India)"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Naval_Intelligence_(India) |
Joint Cipher Bureau
Joint Cipher Bureau
The tag is: misp-galaxy:intelligence-agency="Joint Cipher Bureau"
Links |
State Intelligence Agency (Indonesia)
State Intelligence Agency (BIN) – Badan Intelijen Negara
The tag is: misp-galaxy:intelligence-agency="State Intelligence Agency (Indonesia)"
State Intelligence Agency (Indonesia) is also known as:
-
Badan Intelijen Negara
Links |
https://en.wikipedia.org/wiki/State_Intelligence_Agency_(Indonesia) |
Indonesian Strategic Intelligence Agency
Indonesian Strategic Intelligence Agency (BAIS) – Badan Intelijen Strategis Tentara Nasional Indonesia
The tag is: misp-galaxy:intelligence-agency="Indonesian Strategic Intelligence Agency"
Indonesian Strategic Intelligence Agency is also known as:
-
Badan Intelijen Strategis Tentara Nasional Indonesia
Links |
https://en.wikipedia.org/wiki/Indonesian_Strategic_Intelligence_Agency |
Indonesian Army Intelligence Centre
Indonesian Army Intelligence Centre (PUSINTELAD) – Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat
The tag is: misp-galaxy:intelligence-agency="Indonesian Army Intelligence Centre"
Indonesian Army Intelligence Centre is also known as:
-
Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat
Links |
https://en.wikipedia.org/wiki/Indonesian_Army_Intelligence_Centre |
National Cyber and Crypto Agency
National Cyber and Crypto Agency (BSSN) – Badan Siber dan Sandi Negara
The tag is: misp-galaxy:intelligence-agency="National Cyber and Crypto Agency"
National Cyber and Crypto Agency is also known as:
-
Badan Siber dan Sandi Negara
Links |
https://en.wikipedia.org/wiki/National_Cyber_and_Crypto_Agency |
Attorney General’s Office of Indonesia
Deputy Attorney General on Intelligence (Under the Attorney General’s Office) – Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung
The tag is: misp-galaxy:intelligence-agency="Attorney General’s Office of Indonesia"
Attorney General’s Office of Indonesia is also known as:
-
Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung
Links |
https://en.wikipedia.org/wiki/Attorney_General%27s_Office_of_Indonesia |
Directorate General of Immigration (Indonesia)
Directorate of Immigration Intelligence – Direktorat Intelijen Imigrasi
The tag is: misp-galaxy:intelligence-agency="Directorate General of Immigration (Indonesia)"
Directorate General of Immigration (Indonesia) is also known as:
-
Direktorat Intelijen Imigrasi
Links |
https://en.wikipedia.org/wiki/Directorate_General_of_Immigration_(Indonesia) |
National Anti-Narcotics Agency (Indonesia)
National Narcotics Agency Intelligence Section – Seksi Intelijen Badan Narkotika Nasional
The tag is: misp-galaxy:intelligence-agency="National Anti-Narcotics Agency (Indonesia)"
National Anti-Narcotics Agency (Indonesia) is also known as:
-
Seksi Intelijen Badan Narkotika Nasional
Links |
https://en.wikipedia.org/wiki/National_Anti-Narcotics_Agency_(Indonesia) |
id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia
Indonesian National Police Intelligence and Security Agency - Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia
The tag is: misp-galaxy:intelligence-agency="id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia"
id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia is also known as:
-
Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia
Links |
Directorate General of Customs and Excise (Indonesia)
Customs & Excise Sub-Directorate of Intelligence – Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai
The tag is: misp-galaxy:intelligence-agency="Directorate General of Customs and Excise (Indonesia)"
Directorate General of Customs and Excise (Indonesia) is also known as:
-
Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai
Links |
https://en.wikipedia.org/wiki/Directorate_General_of_Customs_and_Excise_(Indonesia) |
Indonesian Financial Transaction Reports and Analysis Center
Indonesian Financial Transaction Reports and Analysis Center (PPATK) – Pusat Pelaporan dan Analisis Transaksi Keuangan
The tag is: misp-galaxy:intelligence-agency="Indonesian Financial Transaction Reports and Analysis Center"
Indonesian Financial Transaction Reports and Analysis Center is also known as:
-
Pusat Pelaporan dan Analisis Transaksi Keuangan
Links |
https://en.wikipedia.org/wiki/Indonesian_Financial_Transaction_Reports_and_Analysis_Center |
Ministry of Intelligence (Iran)
Ministry of Intelligence (VAJA)
The tag is: misp-galaxy:intelligence-agency="Ministry of Intelligence (Iran)"
Links |
https://en.wikipedia.org/wiki/Ministry_of_Intelligence_(Iran) |
Oghab 2
Oghab 2 – Nuclear facilities security
The tag is: misp-galaxy:intelligence-agency="Oghab 2"
Links |
Council for Intelligence Coordination
Council for Intelligence Coordination
The tag is: misp-galaxy:intelligence-agency="Council for Intelligence Coordination"
Links |
https://en.wikipedia.org/wiki/Council_for_Intelligence_Coordination |
Intelligence Protection Organization of Islamic Republic of Iran Army
Intelligence Protection Organization of Iranian Army (SAHEFAJA)
The tag is: misp-galaxy:intelligence-agency="Intelligence Protection Organization of Islamic Republic of Iran Army"
Links |
https://en.wikipedia.org/wiki/Intelligence_Protection_Organization_of_Islamic_Republic_of_Iran_Army |
Intelligence Organization of Army of the Guardians of the Islamic Revolution
Intelligence Organization of IRGC
The tag is: misp-galaxy:intelligence-agency="Intelligence Organization of Army of the Guardians of the Islamic Revolution"
Links |
Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution
Intelligence Protection Organization of IRGC (SAHEFASA)
The tag is: misp-galaxy:intelligence-agency="Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution"
Links |
Intelligence org of FARAJA
Intelligence org of FARAJA
The tag is: misp-galaxy:intelligence-agency="Intelligence org of FARAJA"
Intelligence org of the Islamic Republic of Iran[12]
Intelligence org of the Islamic Republic of Iran[12]
The tag is: misp-galaxy:intelligence-agency="Intelligence org of the Islamic Republic of Iran[12]"
Links |
General Security Directorate (Iraq)
General Security Directorate - (GSD) - (Internal security agency)
The tag is: misp-galaxy:intelligence-agency="General Security Directorate (Iraq)"
Links |
https://en.wikipedia.org/wiki/General_Security_Directorate_(Iraq) |
Iraqi National Intelligence Service
Iraqi National Intelligence Service - (INIS) - (Foreign intelligence and Special operations)
The tag is: misp-galaxy:intelligence-agency="Iraqi National Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Iraqi_National_Intelligence_Service |
Falcons Intelligence Cell
Falcons Intelligence Cell - (FIC) - (Military intelligence)
The tag is: misp-galaxy:intelligence-agency="Falcons Intelligence Cell"
Links |
Kurdistan Region Security Council
Kurdistan Region Security Council (KRSC) - (Regional security agency)
The tag is: misp-galaxy:intelligence-agency="Kurdistan Region Security Council"
Links |
https://en.wikipedia.org/wiki/Kurdistan_Region_Security_Council |
Intelligence and Counter-Terrorism Directorate - Ministry of Interior
Intelligence and Counter-Terrorism Directorate - Ministry of Interior
The tag is: misp-galaxy:intelligence-agency="Intelligence and Counter-Terrorism Directorate - Ministry of Interior"
Directorate of Military Intelligence (Ireland)
Directorate of Military Intelligence (G2)
The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence (Ireland)"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence_(Ireland) |
CIS Corps (Ireland)
Communications and Information Services Corps (CIS) SIGINT Section
The tag is: misp-galaxy:intelligence-agency="CIS Corps (Ireland)"
Links |
Special Detective Unit
Special Detective Unit (SDU)
The tag is: misp-galaxy:intelligence-agency="Special Detective Unit"
Links |
Garda National Surveillance Unit
National Surveillance Unit (NSU)
The tag is: misp-galaxy:intelligence-agency="Garda National Surveillance Unit"
Links |
https://en.wikipedia.org/wiki/Garda_National_Surveillance_Unit |
National Economic Crime Bureau
Financial Intelligence Unit (FIU)
The tag is: misp-galaxy:intelligence-agency="National Economic Crime Bureau"
Links |
https://en.wikipedia.org/wiki/National_Economic_Crime_Bureau |
Mossad
Mossad (Foreign Intelligence and Special Operations)
The tag is: misp-galaxy:intelligence-agency="Mossad"
Links |
Shin Bet
Shin Bet (Internal Security Service)
The tag is: misp-galaxy:intelligence-agency="Shin Bet"
Links |
Military Intelligence Directorate (Israel)
Aman (Military intelligence)
The tag is: misp-galaxy:intelligence-agency="Military Intelligence Directorate (Israel)"
Links |
https://en.wikipedia.org/wiki/Military_Intelligence_Directorate_(Israel) |
Lahav 433
Lahav 433 (Police intelligence)
The tag is: misp-galaxy:intelligence-agency="Lahav 433"
Links |
Agenzia Informazioni e Sicurezza Interna
Agenzia Informazioni e Sicurezza Interna (AISI) - Agency for Internal Information and Security
The tag is: misp-galaxy:intelligence-agency="Agenzia Informazioni e Sicurezza Interna"
Links |
https://en.wikipedia.org/wiki/Agenzia_Informazioni_e_Sicurezza_Interna |
Agenzia Informazioni e Sicurezza Esterna
Agenzia Informazioni e Sicurezza Esterna (AISE) - Agency for External Information and Security
The tag is: misp-galaxy:intelligence-agency="Agenzia Informazioni e Sicurezza Esterna"
Links |
https://en.wikipedia.org/wiki/Agenzia_Informazioni_e_Sicurezza_Esterna |
Centro Intelligence Interforze
Centro Intelligence Interforze (CII) - Joint Intelligence Center
The tag is: misp-galaxy:intelligence-agency="Centro Intelligence Interforze"
Links |
https://en.wikipedia.org/wiki/Centro_Intelligence_Interforze |
Financial Investigations Division (FID)[14]
Financial Investigations Division (FID)[14]
The tag is: misp-galaxy:intelligence-agency="Financial Investigations Division (FID)[14]"
Links |
Cabinet Intelligence and Research Office
Cabinet Intelligence and Research Office (CIRO)
The tag is: misp-galaxy:intelligence-agency="Cabinet Intelligence and Research Office"
Links |
https://en.wikipedia.org/wiki/Cabinet_Intelligence_and_Research_Office |
Defense Intelligence Headquarters
Defense Intelligence Headquarters (DIH)
The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Headquarters"
Links |
https://en.wikipedia.org/wiki/Defense_Intelligence_Headquarters |
Public Security Intelligence Agency
Public Security Intelligence Agency (PSIA)
The tag is: misp-galaxy:intelligence-agency="Public Security Intelligence Agency"
Links |
https://en.wikipedia.org/wiki/Public_Security_Intelligence_Agency |
Dairat al-Mukhabarat al-Ammah
General Intelligence Department (GID) - (Da’irat al-Mukhabarat al-’Ammah)
The tag is: misp-galaxy:intelligence-agency="Dairat al-Mukhabarat al-Ammah"
Links |
National Intelligence Service (Kenya)
National Intelligence Service(NIS)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (Kenya)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Service_(Kenya) |
Criminal Investigation Department (Kenya)
Directorate of Criminal Investigation(DCI)
The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Kenya)"
Links |
https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Kenya) |
Military Intelligence(MI)
Military Intelligence(MI)
The tag is: misp-galaxy:intelligence-agency="Military Intelligence(MI)"
Links |
State Committee for National Security (Kyrgyzstan)
State Committee for National Security (UKMK/GKNB)
The tag is: misp-galaxy:intelligence-agency="State Committee for National Security (Kyrgyzstan)"
Links |
https://en.wikipedia.org/wiki/State_Committee_for_National_Security_(Kyrgyzstan) |
General Directorate of General Security
General Directorate of General Security
The tag is: misp-galaxy:intelligence-agency="General Directorate of General Security"
Links |
https://en.wikipedia.org/wiki/General_Directorate_of_General_Security |
The Information Branch
The Information Branch
The tag is: misp-galaxy:intelligence-agency="The Information Branch"
Links |
Lebanese State Security
Lebanese State Security
The tag is: misp-galaxy:intelligence-agency="Lebanese State Security"
Links |
National Security Agency (Liberia)
National Security Agency
The tag is: misp-galaxy:intelligence-agency="National Security Agency (Liberia)"
Links |
https://en.wikipedia.org/wiki/National_Security_Agency_(Liberia) |
State Security Department of Lithuania
State Security Department - (Valstybes saugumo departamentas (VSD))
The tag is: misp-galaxy:intelligence-agency="State Security Department of Lithuania"
Links |
https://en.wikipedia.org/wiki/State_Security_Department_of_Lithuania |
Second Investigation Department
Second Investigation Department - (Antrasis operatyvinių tarnybų departamentas (AOTD))
The tag is: misp-galaxy:intelligence-agency="Second Investigation Department"
Links |
https://en.wikipedia.org/wiki/Second_Investigation_Department |
Service de Renseignement de l’État
Luxembourg State Intelligence Service - (Service de Renseignement de l’État Luxembourgeois)
The tag is: misp-galaxy:intelligence-agency="Service de Renseignement de l’État"
Links |
https://en.wikipedia.org/wiki/Service_de_Renseignement_de_l%E2%80%99%C3%89tat |
Central Intelligence Service (CIS)[15]
Central Intelligence Service (CIS)[15]
The tag is: misp-galaxy:intelligence-agency="Central Intelligence Service (CIS)[15]"
Links |
Malaysian Defence Intelligence Organisation
Malaysian Defence Intelligence Organisation (Military Intelligence)[16]
The tag is: misp-galaxy:intelligence-agency="Malaysian Defence Intelligence Organisation"
Links |
https://en.wikipedia.org/wiki/Malaysian_Defence_Intelligence_Organisation |
Research Division of the Prime Minister’s Department
Malaysian External Intelligence Organisation (Foreign Intelligence)
The tag is: misp-galaxy:intelligence-agency="Research Division of the Prime Minister’s Department"
Links |
https://en.wikipedia.org/wiki/Research_Division_of_the_Prime_Minister%27s_Department |
Malaysian Special Branch
Malaysian Special Branch (Police & Internal Intelligence)[17]
The tag is: misp-galaxy:intelligence-agency="Malaysian Special Branch"
Links |
Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)
Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)
The tag is: misp-galaxy:intelligence-agency="Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)"
Assistant Attorney General’s Office for Special Investigations on Organized Crime
Assistant Attorney General’s Office for Special Investigations on Organized Crime (SEIDO / PGR)
The tag is: misp-galaxy:intelligence-agency="Assistant Attorney General’s Office for Special Investigations on Organized Crime"
Links |
Federal Police (Mexico)
Intelligence Division of the Federal Police (Division de Inteligencia – CNS / Policia Federal)
The tag is: misp-galaxy:intelligence-agency="Federal Police (Mexico)"
Links |
https://en.wikipedia.org/wiki/Federal_Police_(Mexico)#Intelligence_Division |
National Intelligence Centre (México)
National Intelligence Centre (CNI)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Centre (México)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Centre_(M%C3%A9xico) |
Estado Mayor Presidencial
2nd Section of the National Defense Intelligence Staff (SEDENA S-2 – Seccion 2da: Inteligencia del Estado Mayor)
The tag is: misp-galaxy:intelligence-agency="Estado Mayor Presidencial"
Links |
SEDENA
Military Intelligence – National Defense Ministry (Inteligencia Militar – SEDENA / Ejercito y Fuerza Aerea)
The tag is: misp-galaxy:intelligence-agency="SEDENA"
Links |
Secretariat of the Navy
Naval Intelligence - (Inteligencia Naval / SEMAR / Marina Armada)
The tag is: misp-galaxy:intelligence-agency="Secretariat of the Navy"
Links |
Information and Security Service of the Republic of Moldova
Information and Security Service (SIS)[18]
The tag is: misp-galaxy:intelligence-agency="Information and Security Service of the Republic of Moldova"
Links |
https://en.wikipedia.org/wiki/Information_and_Security_Service_of_the_Republic_of_Moldova |
General Intelligence Agency of Mongolia
General Intelligence Agency of Mongolia (GIA)
The tag is: misp-galaxy:intelligence-agency="General Intelligence Agency of Mongolia"
Links |
https://en.wikipedia.org/wiki/General_Intelligence_Agency_of_Mongolia |
National Security Agency (Montenegro)
National Security Agency (ANB)
The tag is: misp-galaxy:intelligence-agency="National Security Agency (Montenegro)"
Links |
https://en.wikipedia.org/wiki/National_Security_Agency_(Montenegro) |
General Directorate for Territorial Surveillance (Morocco)
General Directorate for Territorial Surveillance - Direction de la Surveillance du Territoire (DST)
The tag is: misp-galaxy:intelligence-agency="General Directorate for Territorial Surveillance (Morocco)"
Links |
https://en.wikipedia.org/wiki/General_Directorate_for_Territorial_Surveillance_(Morocco) |
Deuxième Bureau (Morocco)
Deuxième Bureau (Morocco) - Military secret service[19]
The tag is: misp-galaxy:intelligence-agency="Deuxième Bureau (Morocco)"
Links |
https://en.wikipedia.org/wiki/Deuxi%C3%A8me_Bureau_(Morocco) |
Direction Generale pour l’Etude et la Documentation
Directorate of Research and Documentation - Direction Generale pour l’Etude et la Documentation (DGED)
The tag is: misp-galaxy:intelligence-agency="Direction Generale pour l’Etude et la Documentation"
Links |
https://en.wikipedia.org/wiki/Direction_Generale_pour_l%27Etude_et_la_Documentation |
Office of the Chief of Military Security Affairs
Office of the Chief of Military Security Affairs (OCMSA)
The tag is: misp-galaxy:intelligence-agency="Office of the Chief of Military Security Affairs"
Links |
https://en.wikipedia.org/wiki/Office_of_the_Chief_of_Military_Security_Affairs |
Bureau Of Special Investigation
Bureau Of Special Investigation (BSI)
The tag is: misp-galaxy:intelligence-agency="Bureau Of Special Investigation"
Links |
https://en.wikipedia.org/wiki/Bureau_Of_Special_Investigation |
Special Intelligence Department
Special Intelligence Department (SID)
The tag is: misp-galaxy:intelligence-agency="Special Intelligence Department"
Links |
https://en.wikipedia.org/wiki/Special_Intelligence_Department |
Namibia Central Intelligence Service
Namibia Central Intelligence Service (NCIS)
The tag is: misp-galaxy:intelligence-agency="Namibia Central Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Namibia_Central_Intelligence_Service |
Directorate of Military Intelligence, Nepal
Directorate of Military Intelligence (DMI)
The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence, Nepal"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence,_Nepal |
National Investigation Department of Nepal
National Investigation Department (NID)
The tag is: misp-galaxy:intelligence-agency="National Investigation Department of Nepal"
Links |
https://en.wikipedia.org/wiki/National_Investigation_Department_of_Nepal |
General Intelligence and Security Service
General Intelligence and Security Service - Algemene Inlichtingen en Veiligheidsdienst (AIVD)
The tag is: misp-galaxy:intelligence-agency="General Intelligence and Security Service"
Links |
https://en.wikipedia.org/wiki/General_Intelligence_and_Security_Service |
Joint Sigint Cyber Unit
Joint Sigint Cyber Unit (JSCU)
The tag is: misp-galaxy:intelligence-agency="Joint Sigint Cyber Unit"
Links |
National Coordinator for Counterterrorism and Security
National Coordinator for Counterterrorism and Security - Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)
The tag is: misp-galaxy:intelligence-agency="National Coordinator for Counterterrorism and Security"
National Coordinator for Counterterrorism and Security is also known as:
-
Nationaal Coördinator Terrorismebestrijding en Veiligheid
Links |
https://en.wikipedia.org/wiki/National_Coordinator_for_Counterterrorism_and_Security |
Team Criminal Intelligence (KMar-TCI)
Team Criminal Intelligence (KMar-TCI)
The tag is: misp-galaxy:intelligence-agency="Team Criminal Intelligence (KMar-TCI)"
Team Criminal Intelligence (FIOD-TCI)
Team Criminal Intelligence (FIOD-TCI)
The tag is: misp-galaxy:intelligence-agency="Team Criminal Intelligence (FIOD-TCI)"
Government Communications Security Bureau
Government Communications Security Bureau[20]
The tag is: misp-galaxy:intelligence-agency="Government Communications Security Bureau"
Links |
https://en.wikipedia.org/wiki/Government_Communications_Security_Bureau |
New Zealand Security Intelligence Service
New Zealand Security Intelligence Service[20]
The tag is: misp-galaxy:intelligence-agency="New Zealand Security Intelligence Service"
Links |
https://en.wikipedia.org/wiki/New_Zealand_Security_Intelligence_Service |
National Assessments Bureau
National Assessments Bureau[20]
The tag is: misp-galaxy:intelligence-agency="National Assessments Bureau"
Links |
National Intelligence Agency (Nigeria)
National Intelligence Agency (Foreign Intelligence and Counterintelligence)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Nigeria)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Nigeria) |
Defence Intelligence Agency (Nigeria)
Defence Intelligence Agency (Military Intelligence)
The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Agency (Nigeria)"
Links |
https://en.wikipedia.org/wiki/Defence_Intelligence_Agency_(Nigeria) |
State Security Service (Nigeria)
State Security Service (Internal Security)
The tag is: misp-galaxy:intelligence-agency="State Security Service (Nigeria)"
Links |
https://en.wikipedia.org/wiki/State_Security_Service_(Nigeria) |
Reconnaissance General Bureau
Reconnaissance General Bureau[21]
The tag is: misp-galaxy:intelligence-agency="Reconnaissance General Bureau"
Links |
Ministry of State Security (North Korea)
Ministry of State Security[22]
The tag is: misp-galaxy:intelligence-agency="Ministry of State Security (North Korea)"
Links |
https://en.wikipedia.org/wiki/Ministry_of_State_Security_(North_Korea) |
Administration for Security and Counterintelligence
Administration for Security and Counterintelligence (Uprava za bezbednost i kontrarazuznavanje) (Police Agency)
The tag is: misp-galaxy:intelligence-agency="Administration for Security and Counterintelligence"
Administration for Security and Counterintelligence is also known as:
-
Uprava za bezbednost i kontrarazuznavanje
Links |
https://en.wikipedia.org/wiki/Administration_for_Security_and_Counterintelligence |
Intelligence Agency of North Macedonia
Intelligence Agency (Agencija za Razuznavanje) (Civilian Agency) IA
The tag is: misp-galaxy:intelligence-agency="Intelligence Agency of North Macedonia"
Intelligence Agency of North Macedonia is also known as:
-
Agencija za Razuznavanje
Links |
https://en.wikipedia.org/wiki/Intelligence_Agency_of_North_Macedonia |
Military Service for Security and Intelligence
Military Service for Security and Intelligence (Voena služba za razuznuvanje i bezbednost) (Military Agency) [1]
The tag is: misp-galaxy:intelligence-agency="Military Service for Security and Intelligence"
Military Service for Security and Intelligence is also known as:
-
Voena služba za razuznuvanje i bezbednost
Links |
https://en.wikipedia.org/wiki/Military_Service_for_Security_and_Intelligence |
Nasjonal sikkerhetsmyndighet
Nasjonal sikkerhetsmyndighet (NSM) (National Security Authority)
The tag is: misp-galaxy:intelligence-agency="Nasjonal sikkerhetsmyndighet"
Links |
Politiets sikkerhetstjeneste
Politiets sikkerhetstjeneste (PST) (Police Security Service)
The tag is: misp-galaxy:intelligence-agency="Politiets sikkerhetstjeneste"
Links |
Etterretningstjenesten
Etterretningstjenesten (NIS) (Norwegian Intelligence Service)
The tag is: misp-galaxy:intelligence-agency="Etterretningstjenesten"
Links |
Forsvarets sikkerhetstjeneste
Forsvarets sikkerhetstjeneste (FOST) – Norwegian Defence Security Service (NORDSS)
The tag is: misp-galaxy:intelligence-agency="Forsvarets sikkerhetstjeneste"
Links |
Palace Office (Oman)
The Palace Office [Foreign Intelligence]
The tag is: misp-galaxy:intelligence-agency="Palace Office (Oman)"
Links |
Internal Security Service
Internal Security Service [Internal Security]
The tag is: misp-galaxy:intelligence-agency="Internal Security Service"
Links |
Inter-Services Intelligence
Inter-Services Intelligence (ISI)
The tag is: misp-galaxy:intelligence-agency="Inter-Services Intelligence"
Links |
Air Intelligence (Pakistan)
Air Intelligence (AI)
The tag is: misp-galaxy:intelligence-agency="Air Intelligence (Pakistan)"
Links |
Military Intelligence (Pakistan)
Military Intelligence (MI)
The tag is: misp-galaxy:intelligence-agency="Military Intelligence (Pakistan)"
Links |
https://en.wikipedia.org/wiki/Military_Intelligence_(Pakistan) |
Naval Intelligence (Pakistan)
Naval Intelligence (NI)
The tag is: misp-galaxy:intelligence-agency="Naval Intelligence (Pakistan)"
Links |
Intelligence Bureau (Pakistan)
Intelligence Bureau (IB)
The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (Pakistan)"
Links |
https://en.wikipedia.org/wiki/Intelligence_Bureau_(Pakistan) |
Federal Investigation Agency
Federal Investigation Agency (FIA)
The tag is: misp-galaxy:intelligence-agency="Federal Investigation Agency"
Links |
National Counter Terrorism Authority
National Counter Terrorism Authority (NACTA)
The tag is: misp-galaxy:intelligence-agency="National Counter Terrorism Authority"
Links |
https://en.wikipedia.org/wiki/National_Counter_Terrorism_Authority |
Counter Terrorism Department (Pakistan)
Counter Terrorism Department (CTD)
The tag is: misp-galaxy:intelligence-agency="Counter Terrorism Department (Pakistan)"
Links |
https://en.wikipedia.org/wiki/Counter_Terrorism_Department_(Pakistan) |
National Intelligence Directorate (Pakistan)
National Intelligence Directorate (NID)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Directorate (Pakistan)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Directorate_(Pakistan) |
Special Branch (Pakistan)
Special Branch (Pakistan)
The tag is: misp-galaxy:intelligence-agency="Special Branch (Pakistan)"
Links |
Directorate General of Intelligence and Investigation
Directorate-General of Intelligence and Investigation (DGII)
The tag is: misp-galaxy:intelligence-agency="Directorate General of Intelligence and Investigation"
Links |
https://en.wikipedia.org/wiki/Directorate_General_of_Intelligence_and_Investigation |
Financial Monitoring Unit
Financial Monitoring Unit (FMU)
The tag is: misp-galaxy:intelligence-agency="Financial Monitoring Unit"
Links |
National Accountability Bureau
National Accountability Bureau (NAB)
The tag is: misp-galaxy:intelligence-agency="National Accountability Bureau"
Links |
https://en.wikipedia.org/wiki/National_Accountability_Bureau |
Security and Exchange Commission of Pakistan
Security and Exchange Commission Pakistan (SECP)
The tag is: misp-galaxy:intelligence-agency="Security and Exchange Commission of Pakistan"
Links |
https://en.wikipedia.org/wiki/Security_and_Exchange_Commission_of_Pakistan |
Anti-Narcotics Force
Anti-Narcotics Force (ANF)
The tag is: misp-galaxy:intelligence-agency="Anti-Narcotics Force"
Links |
National Crises Management Cell
National Crises Management Cell (NCMC)
The tag is: misp-galaxy:intelligence-agency="National Crises Management Cell"
Links |
https://en.wikipedia.org/wiki/National_Crises_Management_Cell |
Palestinian Preventive Security
Palestinian Preventive Security (internal security)
The tag is: misp-galaxy:intelligence-agency="Palestinian Preventive Security"
Links |
https://en.wikipedia.org/wiki/Palestinian_Preventive_Security |
Palestinian National Security Forces
Palestinian National Security Forces
The tag is: misp-galaxy:intelligence-agency="Palestinian National Security Forces"
Links |
https://en.wikipedia.org/wiki/Palestinian_National_Security_Forces |
National Police Intelligence Directorate
National Police Intelligence Directorate (DNIP) – Dirección Nacional de Inteligencia Policial
The tag is: misp-galaxy:intelligence-agency="National Police Intelligence Directorate"
Links |
https://en.wikipedia.org/wiki/National_Police_Intelligence_Directorate |
General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)
General Directorate of Analysis and Strategic Intelligence - Direccion General de Analisis e Inteligencia Estrategica (DGAIE)[23]
The tag is: misp-galaxy:intelligence-agency="General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)"
Links |
National Intelligence and Security Service (Panama) (page does not exist)
National Intelligence and Security Service - Servicio Nacional de Inteligencia y Seguridad (SENIS)[24]
The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Panama) (page does not exist)"
Links |
National Intelligence Organization (Papua New Guinea)
National Intelligence Organization (NIO)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Organization (Papua New Guinea)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Organization_(Papua_New_Guinea) |
National Directorate of Intelligence (Peru)
National Directorate of Intelligence - Dirección Nacional de Inteligencia (DINI)
The tag is: misp-galaxy:intelligence-agency="National Directorate of Intelligence (Peru)"
Links |
https://en.wikipedia.org/wiki/National_Directorate_of_Intelligence_(Peru) |
National Intelligence Coordinating Agency
National Intelligence Coordinating Agency (NICA) – Pambansang Ahensiya sa Ugnayang Intelihensiya
The tag is: misp-galaxy:intelligence-agency="National Intelligence Coordinating Agency"
National Intelligence Coordinating Agency is also known as:
-
Pambansang Ahensiya sa Ugnayang Intelihensiya
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Coordinating_Agency |
National Bureau of Investigation (Philippines)
National Bureau of Investigation (NBI) – Pambansang Kawanihan ng Pagsisiyasat
The tag is: misp-galaxy:intelligence-agency="National Bureau of Investigation (Philippines)"
National Bureau of Investigation (Philippines) is also known as:
-
Pambansang Kawanihan ng Pagsisiyasat
Links |
https://en.wikipedia.org/wiki/National_Bureau_of_Investigation_(Philippines) |
Agencja Wywiadu
Foreign Intelligence Agency - Agencja Wywiadu (AW)
The tag is: misp-galaxy:intelligence-agency="Agencja Wywiadu"
Links |
Agencja Bezpieczeństwa Wewnętrznego
Internal Security Agency - Agencja Bezpieczeństwa Wewnętrznego (ABW)
The tag is: misp-galaxy:intelligence-agency="Agencja Bezpieczeństwa Wewnętrznego"
Links |
https://en.wikipedia.org/wiki/Agencja_Bezpiecze%C5%84stwa_Wewn%C4%99trznego |
Służba Wywiadu Wojskowego (page does not exist)
Military Intelligence Service - Służba Wywiadu Wojskowego (SWW)
The tag is: misp-galaxy:intelligence-agency="Służba Wywiadu Wojskowego (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=S%C5%82u%C5%BCba_Wywiadu_Wojskowego&action=edit&redlink=1 |
Służba Kontrwywiadu Wojskowego
Military Counter-intelligence Service - Służba Kontrwywiadu Wojskowego (SKW)
The tag is: misp-galaxy:intelligence-agency="Służba Kontrwywiadu Wojskowego"
Links |
https://en.wikipedia.org/wiki/S%C5%82u%C5%BCba_Kontrwywiadu_Wojskowego |
Border Guard (Poland)
Operations and Investigations Directorate of the Border Guard Headquarters - Zarząd Operacyjno-Śledczy Komendy Głównej Straży Granicznej (KGSG, ZOŚ, KGSG)
The tag is: misp-galaxy:intelligence-agency="Border Guard (Poland)"
Links |
Serviço de Informações de Segurança
Security Intelligence Service - Serviço de Informações de Segurança (SIS)
The tag is: misp-galaxy:intelligence-agency="Serviço de Informações de Segurança"
Links |
https://en.wikipedia.org/wiki/Servi%C3%A7o_de_Informa%C3%A7%C3%B5es_de_Seguran%C3%A7a |
Serviço de Informações Estratégicas de Defesa
Defense Strategic Intelligence Service - Serviço de Informações Estratégicas de Defesa (SIED)
The tag is: misp-galaxy:intelligence-agency="Serviço de Informações Estratégicas de Defesa"
Links |
https://en.wikipedia.org/wiki/Servi%C3%A7o_de_Informa%C3%A7%C3%B5es_Estrat%C3%A9gicas_de_Defesa |
CISMIL
Military Intelligence and Security Service - Centro de Informações e Segurança Militares (CISMIL)
The tag is: misp-galaxy:intelligence-agency="CISMIL"
Links |
Qatar State Security
Qatar State Security
The tag is: misp-galaxy:intelligence-agency="Qatar State Security"
Links |
Romanian Intelligence Service
Romanian Intelligence Service (SRI) – Serviciul Român de Informații
The tag is: misp-galaxy:intelligence-agency="Romanian Intelligence Service"
Romanian Intelligence Service is also known as:
-
Serviciul Român de Informații
Links |
Foreign Intelligence Service (Romania)
Foreign Intelligence Service (SIE) – Serviciul de Informații Externe
The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Romania)"
Foreign Intelligence Service (Romania) is also known as:
-
Serviciul de Informații Externe
Links |
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Romania) |
Serviciul de Telecomunicații Speciale
Special Telecommunication Service (STS) – Serviciul de Telecomunicații Speciale
The tag is: misp-galaxy:intelligence-agency="Serviciul de Telecomunicații Speciale"
Links |
https://en.wikipedia.org/wiki/Serviciul_de_Telecomunica%C8%9Bii_Speciale |
Direcția Generală de Informații a Apărării
General Directorate for Defense Intelligence (DGIA) – Direcția Generală de Informații a Apărării
The tag is: misp-galaxy:intelligence-agency="Direcția Generală de Informații a Apărării"
Links |
https://en.wikipedia.org/wiki/Direc%C8%9Bia_General%C4%83_de_Informa%C8%9Bii_a_Ap%C4%83r%C4%83rii |
Direcția Generală de Informații și Protecție Internă
General Directorate for Internal Security (DGPI) – Direcția Generală de Protecție Internă
The tag is: misp-galaxy:intelligence-agency="Direcția Generală de Informații și Protecție Internă"
Direcția Generală de Informații și Protecție Internă is also known as:
-
Direcția Generală de Protecție Internă
Links |
Federal Security Service (Russia)
Federal Security Service (FSB) – Федеральная служба безопасности
The tag is: misp-galaxy:intelligence-agency="Federal Security Service (Russia)"
Federal Security Service (Russia) is also known as:
-
Федеральная служба безопасности
Links |
https://en.wikipedia.org/wiki/Federal_Security_Service_(Russia) |
Main Directorate of Special Programs of the President of the Russian Federation
Main Directorate of Special Programs of the President of the Russian Federation (GUSP) – Главное управление специальных программ Президента Российской Федерации
The tag is: misp-galaxy:intelligence-agency="Main Directorate of Special Programs of the President of the Russian Federation"
Main Directorate of Special Programs of the President of the Russian Federation is also known as:
-
Главное управление специальных программ Президента Российской Федерации
Links |
Foreign Intelligence Service (Russia)
Foreign Intelligence Service (Russia) (SVR) – Служба Внешней Разведки
The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service (Russia)"
Foreign Intelligence Service (Russia) is also known as:
-
Служба Внешней Разведки
Links |
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_(Russia) |
GRU (Russian Federation)
Main Intelligence Directorate (GRU) – Главное Разведывательное Управление
The tag is: misp-galaxy:intelligence-agency="GRU (Russian Federation)"
GRU (Russian Federation) is also known as:
-
Главное Разведывательное Управление
Links |
Special Communications Service of Russia
Special Communications Service of Russia – Служба специальной связи и информации
The tag is: misp-galaxy:intelligence-agency="Special Communications Service of Russia"
Special Communications Service of Russia is also known as:
-
Служба специальной связи и информации
Links |
https://en.wikipedia.org/wiki/Special_Communications_Service_of_Russia |
National Intelligence and Security Service (Rwanda)
National Intelligence and Security Service (Rwanda)
The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Service (Rwanda)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Service_(Rwanda) |
Council of Political and Security Affairs (Saudi Arabia)
Council of Political and Security Affairs (CPSA) – مجلس الشؤون السياسية والأمنية
The tag is: misp-galaxy:intelligence-agency="Council of Political and Security Affairs (Saudi Arabia)"
Links |
https://en.wikipedia.org/wiki/Council_of_Political_and_Security_Affairs_(Saudi_Arabia) |
Al Mukhabarat Al A’amah
General Intelligence Presidency (GIP) – رئاسة الاستخبارات العامة
The tag is: misp-galaxy:intelligence-agency="Al Mukhabarat Al A’amah"
Links |
Mabahith
Mabahith (GDI) – المباحث العامة
The tag is: misp-galaxy:intelligence-agency="Mabahith"
Links |
Saudi Arabian Border Guards
Saudi Arabia Border Guards Intelligence Directorate – استخبارات حرس الحدود
The tag is: misp-galaxy:intelligence-agency="Saudi Arabian Border Guards"
Links |
The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني
The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني
The tag is: misp-galaxy:intelligence-agency="The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني"
Links |
Security Intelligence Agency
Security Intelligence Agency – Безбедносно-информативна агенција (BIA)
The tag is: misp-galaxy:intelligence-agency="Security Intelligence Agency"
Links |
Military Security Agency (Serbia)
Military Security Agency – Војнобезбедносна агенција (VBA)
The tag is: misp-galaxy:intelligence-agency="Military Security Agency (Serbia)"
Links |
https://en.wikipedia.org/wiki/Military_Security_Agency_(Serbia) |
Vojnoobaveštajna agencija
Military Intelligence Agency – Војнообавештајна агенција (VOA)
The tag is: misp-galaxy:intelligence-agency="Vojnoobaveštajna agencija"
Links |
https://en.wikipedia.org/wiki/Vojnoobave%C5%A1tajna_agencija |
Security and Intelligence Division
Security and Intelligence Division (SID)
The tag is: misp-galaxy:intelligence-agency="Security and Intelligence Division"
Links |
https://en.wikipedia.org/wiki/Security_and_Intelligence_Division |
Internal Security Department (Singapore)
Internal Security Department (ISD)
The tag is: misp-galaxy:intelligence-agency="Internal Security Department (Singapore)"
Links |
https://en.wikipedia.org/wiki/Internal_Security_Department_(Singapore) |
Slovak Information Service
Slovak Information Service - Slovenská informačná služba (SIS)
The tag is: misp-galaxy:intelligence-agency="Slovak Information Service"
Links |
Vojenské spravodajstvo
Military Intelligence - Vojenské spravodajstvo
The tag is: misp-galaxy:intelligence-agency="Vojenské spravodajstvo"
Links |
National Security Bureau (Slovakia)
National Security Bureau - Národný bezpečnostný úrad (NBÚ)
The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Slovakia)"
Links |
https://en.wikipedia.org/wiki/National_Security_Bureau_(Slovakia) |
Slovenska Obveščevalno-Varnostna Agencija
Slovenian Intelligence and Security Agency - Slovenska Obveščevalno-Varnostna Agencija (SOVA)
The tag is: misp-galaxy:intelligence-agency="Slovenska Obveščevalno-Varnostna Agencija"
Links |
https://en.wikipedia.org/wiki/Slovenska_Obve%C5%A1%C4%8Devalno-Varnostna_Agencija |
Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]
Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]
The tag is: misp-galaxy:intelligence-agency="Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]"
Links |
General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]
General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]
The tag is: misp-galaxy:intelligence-agency="General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]"
Links |
National Intelligence and Security Agency
National Intelligence and Security Agency (NISA)
The tag is: misp-galaxy:intelligence-agency="National Intelligence and Security Agency"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_and_Security_Agency |
State Security Agency (South Africa)
State Security Agency (SSA)
The tag is: misp-galaxy:intelligence-agency="State Security Agency (South Africa)"
Links |
https://en.wikipedia.org/wiki/State_Security_Agency_(South_Africa) |
South African National Defence Force Intelligence Division
South African National Defence Force, Intelligence Division (SANDF-ID)
The tag is: misp-galaxy:intelligence-agency="South African National Defence Force Intelligence Division"
Links |
https://en.wikipedia.org/wiki/South_African_National_Defence_Force_Intelligence_Division |
Crime Intelligence (SAPS)
Crime Intelligence Division, South African Police Service
The tag is: misp-galaxy:intelligence-agency="Crime Intelligence (SAPS)"
Links |
National Intelligence Service (South Korea)
National Intelligence Service (NIS)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Service (South Korea)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Service_(South_Korea) |
Defense Intelligence Agency (South Korea)
Defense Intelligence Agency (DIA)
The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Agency (South Korea)"
Links |
https://en.wikipedia.org/wiki/Defense_Intelligence_Agency_(South_Korea) |
Defence Intelligence Command (page does not exist)
Defence Intelligence Command [ko] (DIC)
The tag is: misp-galaxy:intelligence-agency="Defence Intelligence Command (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=Defence_Intelligence_Command&action=edit&redlink=1 |
Defense Security Support Command (page does not exist)
Defense Security Support Command [ko] (DSSC)
The tag is: misp-galaxy:intelligence-agency="Defense Security Support Command (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=Defense_Security_Support_Command&action=edit&redlink=1 |
Department of Homeland Security (Spain)
Department of Homeland Security (DSN)
The tag is: misp-galaxy:intelligence-agency="Department of Homeland Security (Spain)"
Links |
https://en.wikipedia.org/wiki/Department_of_Homeland_Security_(Spain) |
National Cryptologic Center
National Cryptologic Center - (Centro Criptológico Nacional) (CCN)
The tag is: misp-galaxy:intelligence-agency="National Cryptologic Center"
Links |
Spanish Armed Forces Intelligence Center
Armed Forces Intelligence Center (CIFAS)
The tag is: misp-galaxy:intelligence-agency="Spanish Armed Forces Intelligence Center"
Links |
https://en.wikipedia.org/wiki/Spanish_Armed_Forces_Intelligence_Center |
Joint Cyberspace Command
Joint Cyberspace Command (MCCE)
The tag is: misp-galaxy:intelligence-agency="Joint Cyberspace Command"
Links |
Centro de Inteligencia contra el Terrorismo y el Crimen Organizado
Intelligence Center for Counter-Terrorism and Organized Crime - (Centro de Inteligencia contra el Terrorismo y el Crimen Organizado) (CITCO)
The tag is: misp-galaxy:intelligence-agency="Centro de Inteligencia contra el Terrorismo y el Crimen Organizado"
Links |
https://en.wikipedia.org/wiki/Centro_de_Inteligencia_contra_el_Terrorismo_y_el_Crimen_Organizado |
Brigada de Investigación Tecnológica
Technological Research Brigade (BIT)
The tag is: misp-galaxy:intelligence-agency="Brigada de Investigación Tecnológica"
Links |
https://en.wikipedia.org/wiki/Brigada_de_Investigaci%C3%B3n_Tecnol%C3%B3gica |
General Commissariat of Information
General Commissariat of Information - (Comisaría General de la Información) (CGI)
The tag is: misp-galaxy:intelligence-agency="General Commissariat of Information"
Links |
https://en.wikipedia.org/wiki/General_Commissariat_of_Information |
General Commissariat of Judiciary Police
General Commissariat of Judiciary Police - (Comisaría General de Policía Judicial) (CGPJ)
The tag is: misp-galaxy:intelligence-agency="General Commissariat of Judiciary Police"
Links |
https://en.wikipedia.org/wiki/General_Commissariat_of_Judiciary_Police |
State Intelligence Service (Sri Lanka)
State Intelligence Service (Sri Lanka)
The tag is: misp-galaxy:intelligence-agency="State Intelligence Service (Sri Lanka)"
Links |
https://en.wikipedia.org/wiki/State_Intelligence_Service_(Sri_Lanka) |
Special Branch (Sri Lanka)
Special Branch
The tag is: misp-galaxy:intelligence-agency="Special Branch (Sri Lanka)"
Terrorist Investigation Division
Terrorist Investigation Division
The tag is: misp-galaxy:intelligence-agency="Terrorist Investigation Division"
Criminal Investigation Department (Sri Lanka)
Criminal Investigation Department (Sri Lanka)
The tag is: misp-galaxy:intelligence-agency="Criminal Investigation Department (Sri Lanka)"
Links |
https://en.wikipedia.org/wiki/Criminal_Investigation_Department_(Sri_Lanka) |
Financial Crimes Investigation Division
Financial Crimes Investigation Division
The tag is: misp-galaxy:intelligence-agency="Financial Crimes Investigation Division"
Links |
https://en.wikipedia.org/wiki/Financial_Crimes_Investigation_Division |
Directorate of Military Intelligence (Sri Lanka)
Directorate of Military Intelligence (Sri Lanka)
The tag is: misp-galaxy:intelligence-agency="Directorate of Military Intelligence (Sri Lanka)"
Links |
https://en.wikipedia.org/wiki/Directorate_of_Military_Intelligence_(Sri_Lanka) |
Military Intelligence Corps (Sri Lanka)
Military Intelligence Corps (Sri Lanka)
The tag is: misp-galaxy:intelligence-agency="Military Intelligence Corps (Sri Lanka)"
Links |
https://en.wikipedia.org/wiki/Military_Intelligence_Corps_(Sri_Lanka) |
Department of Naval Intelligence
Department of Naval Intelligence
The tag is: misp-galaxy:intelligence-agency="Department of Naval Intelligence"
Directorate of Air Intelligence
Directorate of Air Intelligence
The tag is: misp-galaxy:intelligence-agency="Directorate of Air Intelligence"
Financial Intelligence Unit (Sri Lanka),
Financial Intelligence Unit (Sri Lanka),
The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit (Sri Lanka),"
General Intelligence Service (Sudan)
General Intelligence Service
The tag is: misp-galaxy:intelligence-agency="General Intelligence Service (Sudan)"
Links |
https://en.wikipedia.org/wiki/General_Intelligence_Service_(Sudan) |
Kontoret för särskild inhämtning
Office for Special Acquisition – Kontoret för särskild inhämtning (KSI)
The tag is: misp-galaxy:intelligence-agency="Kontoret för särskild inhämtning"
Links |
https://en.wikipedia.org/wiki/Kontoret_f%C3%B6r_s%C3%A4rskild_inh%C3%A4mtning |
National Defence Radio Establishment
National Defence Radio Establishment – Försvarets Radioanstalt (FRA)
The tag is: misp-galaxy:intelligence-agency="National Defence Radio Establishment"
Links |
https://en.wikipedia.org/wiki/National_Defence_Radio_Establishment |
Swedish Security Service
Swedish Security Service – Säkerhetspolisen (Säpo)
The tag is: misp-galaxy:intelligence-agency="Swedish Security Service"
Links |
Swiss intelligence agencies
Federal Intelligence Service - Nachrichtendienst des Bundes (NDB)
The tag is: misp-galaxy:intelligence-agency="Swiss intelligence agencies"
Links |
Militärischer Nachrichtendienst
Military Intelligence Service - Militärischer Nachrichtendienst (MND)
The tag is: misp-galaxy:intelligence-agency="Militärischer Nachrichtendienst"
Links |
https://en.wikipedia.org/wiki/Milit%C3%A4rischer_Nachrichtendienst |
Air Force Intelligence Directorate
Air Force Intelligence Directorate
The tag is: misp-galaxy:intelligence-agency="Air Force Intelligence Directorate"
Links |
https://en.wikipedia.org/wiki/Air_Force_Intelligence_Directorate |
General Intelligence Directorate (Syria)
General Intelligence Directorate
The tag is: misp-galaxy:intelligence-agency="General Intelligence Directorate (Syria)"
Links |
https://en.wikipedia.org/wiki/General_Intelligence_Directorate_(Syria) |
Political Security Directorate
Political Security Directorate
The tag is: misp-galaxy:intelligence-agency="Political Security Directorate"
Links |
https://en.wikipedia.org/wiki/Political_Security_Directorate |
Military Intelligence Directorate (Syria)
Military Intelligence Directorate
The tag is: misp-galaxy:intelligence-agency="Military Intelligence Directorate (Syria)"
Links |
https://en.wikipedia.org/wiki/Military_Intelligence_Directorate_(Syria) |
National Security Bureau (Republic of China)
National Security Bureau (NSB)
The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Republic of China)"
Links |
https://en.wikipedia.org/wiki/National_Security_Bureau_(Republic_of_China) |
Bureau of Investigation (Taiwan)
Investigation Bureau (MJIB)
The tag is: misp-galaxy:intelligence-agency="Bureau of Investigation (Taiwan)"
Links |
https://en.wikipedia.org/wiki/Bureau_of_Investigation_(Taiwan) |
National Police Agency of the ROC (Taiwan)
National Police Agency (NPA)
The tag is: misp-galaxy:intelligence-agency="National Police Agency of the ROC (Taiwan)"
Links |
https://en.wikipedia.org/wiki/National_Police_Agency_of_the_ROC_(Taiwan) |
Republic of China Military Police
Military Police Command (ROCMP)
The tag is: misp-galaxy:intelligence-agency="Republic of China Military Police"
Links |
https://en.wikipedia.org/wiki/Republic_of_China_Military_Police |
Bureau of Military Intelligence
Military Intelligence Bureau (MIB)
The tag is: misp-galaxy:intelligence-agency="Bureau of Military Intelligence"
Links |
https://en.wikipedia.org/wiki/Bureau_of_Military_Intelligence |
State Committee for National Security (Tajikistan)
State Committee for National Security (SCNS) – Кумитаи давлатии амнияти милли (КДАМ)/Государственный комитет национальной безопасности (ГКНБ)
The tag is: misp-galaxy:intelligence-agency="State Committee for National Security (Tajikistan)"
Links |
https://en.wikipedia.org/wiki/State_Committee_for_National_Security_(Tajikistan) |
Tanzania Intelligence and Security Service
Tanzania Intelligence and Security Service (TISS)
The tag is: misp-galaxy:intelligence-agency="Tanzania Intelligence and Security Service"
Links |
https://en.wikipedia.org/wiki/Tanzania_Intelligence_and_Security_Service |
Internal Security Affairs Bureau (ISAB)
Internal Security Affairs Bureau (ISAB)
The tag is: misp-galaxy:intelligence-agency="Internal Security Affairs Bureau (ISAB)"
Bureau of Intelligence (BI)
Bureau of Intelligence (BI)
The tag is: misp-galaxy:intelligence-agency="Bureau of Intelligence (BI)"
Intelligence Bureau (IB)
Intelligence Bureau (IB)
The tag is: misp-galaxy:intelligence-agency="Intelligence Bureau (IB)"
Armed Forces Security Center (AFSC)
Armed Forces Security Center (AFSC)
The tag is: misp-galaxy:intelligence-agency="Armed Forces Security Center (AFSC)"
Army Military Intelligence Command (AMIC)
Army Military Intelligence Command (AMIC)
The tag is: misp-galaxy:intelligence-agency="Army Military Intelligence Command (AMIC)"
Department of Border Affair (DBA)
Department of Border Affair (DBA)
The tag is: misp-galaxy:intelligence-agency="Department of Border Affair (DBA)"
Directorate of Joint Intelligence (DJI)
Directorate of Joint Intelligence (DJI)
The tag is: misp-galaxy:intelligence-agency="Directorate of Joint Intelligence (DJI)"
Directorate of Intelligence Royal Thai Army (DINTRTA)
Directorate of Intelligence Royal Thai Army (DINTRTA)
The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence Royal Thai Army (DINTRTA)"
Directorate of Intelligence, RTAF (INTELLRTAF)
Directorate of Intelligence, RTAF (INTELLRTAF)
The tag is: misp-galaxy:intelligence-agency="Directorate of Intelligence, RTAF (INTELLRTAF)"
Naval Intelligence Department (NID)
Naval Intelligence Department (NID)
The tag is: misp-galaxy:intelligence-agency="Naval Intelligence Department (NID)"
Financial Intelligence Division (FID)
Financial Intelligence Division (FID)
The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Division (FID)"
Internal Security Operations Command
Internal Security Operations Command (ISOC)
The tag is: misp-galaxy:intelligence-agency="Internal Security Operations Command"
Links |
https://en.wikipedia.org/wiki/Internal_Security_Operations_Command |
National Intelligence Agency (Thailand)
National Intelligence Agency (NIA)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Agency (Thailand)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Agency_(Thailand) |
National Intelligence Cooperating Center (NICC)
National Intelligence Cooperating Center (NICC)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Cooperating Center (NICC)"
Drug Intelligence Division (DID)
Drug Intelligence Division (DID)
The tag is: misp-galaxy:intelligence-agency="Drug Intelligence Division (DID)"
Special Branch Bureau
Special Branch Bureau (SBB)
The tag is: misp-galaxy:intelligence-agency="Special Branch Bureau"
Links |
Strategic Services Agency (SSA)[28]
Strategic Services Agency (SSA)[28]
The tag is: misp-galaxy:intelligence-agency="Strategic Services Agency (SSA)[28]"
Links |
Organised Crime and Intelligence Unit[30]
Organised Crime and Intelligence Unit[30]
The tag is: misp-galaxy:intelligence-agency="Organised Crime and Intelligence Unit[30]"
Links |
Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]
Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]
The tag is: misp-galaxy:intelligence-agency="Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]"
Links |
National Intelligence Organization (Turkey)
National Intelligence Organization (MİT)
The tag is: misp-galaxy:intelligence-agency="National Intelligence Organization (Turkey)"
Links |
https://en.wikipedia.org/wiki/National_Intelligence_Organization_(Turkey) |
Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)
Department of Smuggling, Intelligence, Operations and Information Collection (intelligence coordination)
The tag is: misp-galaxy:intelligence-agency="Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=Department_of_Smuggling |
Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)
Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (Intelligence Directorate)
The tag is: misp-galaxy:intelligence-agency="Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)"
Links |
Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)
Terörle Mücadele Dairesi Başkanlığı(TEM) (Anti-Terrorism Department)
The tag is: misp-galaxy:intelligence-agency="Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)"
Links |
Gendarmerie Intelligence Directorate (page does not exist)
Gendarmerie Intelligence Directorate (law enforcement)
The tag is: misp-galaxy:intelligence-agency="Gendarmerie Intelligence Directorate (page does not exist)"
Links |
Coast Guard Intelligence Directorate (page does not exist)
Coast Guard Intelligence Directorate (law enforcement)
The tag is: misp-galaxy:intelligence-agency="Coast Guard Intelligence Directorate (page does not exist)"
Links |
General Staff Intelligence Directorate (page does not exist)
General Staff Intelligence Directorate (military intelligence)
The tag is: misp-galaxy:intelligence-agency="General Staff Intelligence Directorate (page does not exist)"
Links |
Army Intelligence Department (page does not exist)
Army Intelligence Department (military intelligence)
The tag is: misp-galaxy:intelligence-agency="Army Intelligence Department (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=Army_Intelligence_Department&action=edit&redlink=1 |
Navy Intelligence Department (page does not exist)
navy Intelligence Department (military intelligence)
The tag is: misp-galaxy:intelligence-agency="Navy Intelligence Department (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=Navy_Intelligence_Department&action=edit&redlink=1 |
Air Force Intelligence Department (page does not exist)
Air Force Intelligence Department (military intelligence)
The tag is: misp-galaxy:intelligence-agency="Air Force Intelligence Department (page does not exist)"
Links |
https://en.wikipedia.org/w/index.php?title=Air_Force_Intelligence_Department&action=edit&redlink=1 |
Ministry for National Security (Turkmenistan)
Ministry for National Security (MNS)
The tag is: misp-galaxy:intelligence-agency="Ministry for National Security (Turkmenistan)"
Links |
https://en.wikipedia.org/wiki/Ministry_for_National_Security_(Turkmenistan) |
Chief directorate of intelligence of the Ministry of Defence of Ukraine
Central Intelligence Directorate – Holovne Upravlinnya Rozvidky (HUR)
The tag is: misp-galaxy:intelligence-agency="Chief directorate of intelligence of the Ministry of Defence of Ukraine"
Links |
Foreign Intelligence Service of Ukraine
Foreign Intelligence Service of Ukraine – Sluzhba Zovnishnioyi Rozvidky Ukrayiny (SZR or SZRU)
The tag is: misp-galaxy:intelligence-agency="Foreign Intelligence Service of Ukraine"
Links |
https://en.wikipedia.org/wiki/Foreign_Intelligence_Service_of_Ukraine |
State Bureau of Investigation (Ukraine)
State Bureau of Investigation – Derzhavne Biuro Rozsliduvan (DBR)
The tag is: misp-galaxy:intelligence-agency="State Bureau of Investigation (Ukraine)"
Links |
https://en.wikipedia.org/wiki/State_Bureau_of_Investigation_(Ukraine) |
Security Service of Ukraine
Security Service of Ukraine – Sluzhba Bezpeky Ukrayiny (SBU)
The tag is: misp-galaxy:intelligence-agency="Security Service of Ukraine"
Links |
Signals Intelligence Agency
Signals Intelligence Agency (SIA)
The tag is: misp-galaxy:intelligence-agency="Signals Intelligence Agency"
Links |
Joint Intelligence Organisation (United Kingdom)
Joint Intelligence Organisation (JIO)[32] – Joint intelligence analysis.
The tag is: misp-galaxy:intelligence-agency="Joint Intelligence Organisation (United Kingdom)"
Links |
https://en.wikipedia.org/wiki/Joint_Intelligence_Organisation_(United_Kingdom) |
MI5
Security Service/MI5[33] – Domestic counter terrorism and counter espionage intelligence gathering and analysis.
The tag is: misp-galaxy:intelligence-agency="MI5"
Links |
Office for Security and Counter-Terrorism
Office for Security and Counter-Terrorism (OSCT) – Counter terrorism and protecting critical national infrastructure.
The tag is: misp-galaxy:intelligence-agency="Office for Security and Counter-Terrorism"
Links |
https://en.wikipedia.org/wiki/Office_for_Security_and_Counter-Terrorism |
National Domestic Extremism and Disorder Intelligence Unit
National Domestic Extremism and Disorder Intelligence Unit (NDEDIU)[34] – Domestic counter extremism and public disorder intelligence gathering and analysis.
The tag is: misp-galaxy:intelligence-agency="National Domestic Extremism and Disorder Intelligence Unit"
Links |
https://en.wikipedia.org/wiki/National_Domestic_Extremism_and_Disorder_Intelligence_Unit |
National Ballistics Intelligence Service
National Ballistics Intelligence Service (NBIS)[35] – Illegal firearms intelligence analysis.
The tag is: misp-galaxy:intelligence-agency="National Ballistics Intelligence Service"
Links |
https://en.wikipedia.org/wiki/National_Ballistics_Intelligence_Service |
National Fraud Intelligence Bureau
National Fraud Intelligence Bureau (NFIB)[36] – Economic crime intelligence gathering and analysis.
The tag is: misp-galaxy:intelligence-agency="National Fraud Intelligence Bureau"
Links |
https://en.wikipedia.org/wiki/National_Fraud_Intelligence_Bureau |
Secret Intelligence Service
Secret Intelligence Service (SIS)/MI6[37] – Foreign intelligence gathering and analysis.
The tag is: misp-galaxy:intelligence-agency="Secret Intelligence Service"
Links |
Defence Intelligence
Defence Intelligence (DI)[38] – Military intelligence analysis.
The tag is: misp-galaxy:intelligence-agency="Defence Intelligence"
Links |
Government Communications Headquarters
Government Communications Headquarters (GCHQ)[39] – Signals intelligence gathering and analysis.
The tag is: misp-galaxy:intelligence-agency="Government Communications Headquarters"
Links |
https://en.wikipedia.org/wiki/Government_Communications_Headquarters |
National Crime Agency
National Crime Agency (NCA)[40] – Organised crime intelligence gathering and analysis. Agency utilizes Unexplained wealth orders and the Investigatory Powers Act 2016.[41][42] NCA officers are posted overseas in around 50 countries.[43] They operate the UK Protected Persons Service, which includes witness protection.[44]
The tag is: misp-galaxy:intelligence-agency="National Crime Agency"
Links |
Gangmasters and Labour Abuse Authority
Gangmasters and Labour Abuse Authority - Human trafficking, slavery, economic, and serious organised crime.
The tag is: misp-galaxy:intelligence-agency="Gangmasters and Labour Abuse Authority"
Links |
https://en.wikipedia.org/wiki/Gangmasters_and_Labour_Abuse_Authority |
Director of National Intelligence
Office of the Director of National Intelligence (ODNI)
The tag is: misp-galaxy:intelligence-agency="Director of National Intelligence"
Links |
https://en.wikipedia.org/wiki/Director_of_National_Intelligence |
Central Intelligence Agency
Central Intelligence Agency (CIA)
The tag is: misp-galaxy:intelligence-agency="Central Intelligence Agency"
Links |
Defense Intelligence Agency
Defense Intelligence Agency (DIA)
The tag is: misp-galaxy:intelligence-agency="Defense Intelligence Agency"
Links |
National Security Agency
National Security Agency (NSA)
The tag is: misp-galaxy:intelligence-agency="National Security Agency"
Links |
National Geospatial-Intelligence Agency
National Geospatial-Intelligence Agency (NGA)
The tag is: misp-galaxy:intelligence-agency="National Geospatial-Intelligence Agency"
Links |
https://en.wikipedia.org/wiki/National_Geospatial-Intelligence_Agency |
National Reconnaissance Office
National Reconnaissance Office (NRO)
The tag is: misp-galaxy:intelligence-agency="National Reconnaissance Office"
Links |
https://en.wikipedia.org/wiki/National_Reconnaissance_Office |
Military Intelligence Corps (United States Army)
Military Intelligence Corps (MIC)
The tag is: misp-galaxy:intelligence-agency="Military Intelligence Corps (United States Army)"
Links |
https://en.wikipedia.org/wiki/Military_Intelligence_Corps_(United_States_Army) |
Marine Corps Intelligence
Marine Corps Intelligence (MCI)
The tag is: misp-galaxy:intelligence-agency="Marine Corps Intelligence"
Links |
Office of Naval Intelligence
Office of Naval Intelligence (ONI)
The tag is: misp-galaxy:intelligence-agency="Office of Naval Intelligence"
Links |
Sixteenth Air Force
Sixteenth Air Force (16 AF)
The tag is: misp-galaxy:intelligence-agency="Sixteenth Air Force"
Links |
Space Delta 18
Space Delta 18 (DEL 18)
The tag is: misp-galaxy:intelligence-agency="Space Delta 18"
Links |
Office of Intelligence and Counterintelligence
Office of Intelligence and Counterintelligence (OICI)
The tag is: misp-galaxy:intelligence-agency="Office of Intelligence and Counterintelligence"
Links |
https://en.wikipedia.org/wiki/Office_of_Intelligence_and_Counterintelligence |
Coast Guard Intelligence
Coast Guard Intelligence (CGI)
The tag is: misp-galaxy:intelligence-agency="Coast Guard Intelligence"
Links |
DHS Office of Intelligence and Analysis
DHS Office of Intelligence and Analysis (I&A)
The tag is: misp-galaxy:intelligence-agency="DHS Office of Intelligence and Analysis"
Links |
https://en.wikipedia.org/wiki/DHS_Office_of_Intelligence_and_Analysis |
DEA Office of National Security Intelligence
DEA Office of National Security Intelligence (ONSI)
The tag is: misp-galaxy:intelligence-agency="DEA Office of National Security Intelligence"
Links |
https://en.wikipedia.org/wiki/DEA_Office_of_National_Security_Intelligence |
FBI Intelligence Branch
FBI Intelligence Branch (IB)
The tag is: misp-galaxy:intelligence-agency="FBI Intelligence Branch"
Links |
Bureau of Intelligence and Research
Bureau of Intelligence and Research (IR)
The tag is: misp-galaxy:intelligence-agency="Bureau of Intelligence and Research"
Links |
https://en.wikipedia.org/wiki/Bureau_of_Intelligence_and_Research |
Office of Terrorism and Financial Intelligence
Office of Terrorism and Financial Intelligence (TFI)
The tag is: misp-galaxy:intelligence-agency="Office of Terrorism and Financial Intelligence"
Links |
https://en.wikipedia.org/wiki/Office_of_Terrorism_and_Financial_Intelligence |
es:Secretaría de Inteligencia Estratégica de Estado
State Secretariat of Strategic Intelligence - Secretaría de Inteligencia Estratégica de Estado (SIEE)
The tag is: misp-galaxy:intelligence-agency="es:Secretaría de Inteligencia Estratégica de Estado"
es:Secretaría de Inteligencia Estratégica de Estado is also known as:
-
Secretaría de Inteligencia Estratégica de Estado
Links |
National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)
National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)
The tag is: misp-galaxy:intelligence-agency="National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)"
State Security Service (Uzbekistan)
State Security Service - Davlat Xavfsizlik Xizmati (DXX)/ Служба государственной безопасности (СГБ)
The tag is: misp-galaxy:intelligence-agency="State Security Service (Uzbekistan)"
Links |
https://en.wikipedia.org/wiki/State_Security_Service_(Uzbekistan) |
Bolivarian National Intelligence Service
Bolivarian National Intelligence Service - Servicio Bolivariano de Inteligencia (SEBIN)
The tag is: misp-galaxy:intelligence-agency="Bolivarian National Intelligence Service"
Links |
https://en.wikipedia.org/wiki/Bolivarian_National_Intelligence_Service |
Dirección General de Contrainteligencia Militar
Directorate General of Military Intelligence – Dirección General de Contrainteligencia Militar (DGCIM)
The tag is: misp-galaxy:intelligence-agency="Dirección General de Contrainteligencia Militar"
Links |
https://en.wikipedia.org/wiki/Direcci%C3%B3n_General_de_Contrainteligencia_Militar |
General Department of Military Intelligence
General Department of Defence Intelligence (GDDI)/General Department II - Tổng cục Tình báo Quốc phòng (TBQP)/Tổng cục II (TC2)
The tag is: misp-galaxy:intelligence-agency="General Department of Military Intelligence"
Links |
https://en.wikipedia.org/wiki/General_Department_of_Military_Intelligence |
Political Security Organization
Political Security Organization (PSO)
The tag is: misp-galaxy:intelligence-agency="Political Security Organization"
Links |
https://en.wikipedia.org/wiki/Political_Security_Organization |
National Security Bureau (Yemen)
National Security Bureau (NSB)
The tag is: misp-galaxy:intelligence-agency="National Security Bureau (Yemen)"
Links |
https://en.wikipedia.org/wiki/National_Security_Bureau_(Yemen) |
Central Intelligence Organisation
Central Intelligence Organisation (CIO)
The tag is: misp-galaxy:intelligence-agency="Central Intelligence Organisation"
Links |
https://en.wikipedia.org/wiki/Central_Intelligence_Organisation |
Counter Terrorism Group
Counter Terrorism Group (CTG)
The tag is: misp-galaxy:intelligence-agency="Counter Terrorism Group"
Links |
European Union Military Staff
European Union Military Staff (EUMS)
The tag is: misp-galaxy:intelligence-agency="European Union Military Staff"
Links |
European Union Satellite Centre
European Union Satellite Centre (EU SatCen)
The tag is: misp-galaxy:intelligence-agency="European Union Satellite Centre"
Links |
https://en.wikipedia.org/wiki/European_Union_Satellite_Centre |
Regional Anti-Terrorist Structure
Regional Anti-Terrorist Structure (RATS)
The tag is: misp-galaxy:intelligence-agency="Regional Anti-Terrorist Structure"
Links |
https://en.wikipedia.org/wiki/Regional_Anti-Terrorist_Structure |
INTERPOL DWVA Taxonomy
This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems..
INTERPOL DWVA Taxonomy is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
INTERPOL Darkweb and Virtual Assets Working Group
Decentralized Apps
An application that does not rely on a central server but on several decentralized nodes. Each user can choose to be an active node serving the app.
The tag is: misp-galaxy:dwva="Decentralized Apps"
Hardware Wallet
A [hardware] cryptocurrency wallet is a device, physical medium, (…) which stores the private keys for cryptocurrency transactions. It will normally also contain the associated public keys.
The tag is: misp-galaxy:dwva="Hardware Wallet"
Distributed Hash Technology
A decentralized distributed system that provides sharing contact information, so people downloading the same file can discover each other. Both Tor and I2P use DHT. Due to the distributed nature of the hidden services domain resolution, it is possible to deploy nodes in the DHT to monitor requests coming from a given domain.
The tag is: misp-galaxy:dwva="Distributed Hash Technology"
Bitcoin
Bitcoin is a network protocol based on blockchain, introduced by Nakamoto [11] which allows payments and coin transfers to be made among participating entities. No trusted
The tag is: misp-galaxy:dwva="Bitcoin"
Counterfeit product
Counterfeit consumer goods are goods, often of inferior quality, made or sold under another’s brand name without the brand owner’s authorization.
The tag is: misp-galaxy:dwva="Counterfeit product"
Shop owner
A shop owner is an actor within the group of Criminal Actors; operating a DW shop.
The tag is: misp-galaxy:dwva="Shop owner"
Hierarchically Deterministic wallets
An HD (Hierarchical Deterministic) Wallet is a tree of private/public keypairs starting from a master seed. This technology provides both account management and identity masking. A user only needs to keep the master seeds because she can generate following keypairs from the root key deterministically, and each public key that can be exposed is changed for each transaction.
The tag is: misp-galaxy:dwva="Hierarchically Deterministic wallets"
Non Fungible Token
A non-fungible token (NFT) is a unit of data stored on a digital ledger, called a blockchain, that certifies a digital asset to be unique and therefore not interchangeable. NFTs can be used to represent items such as photos, videos, audio, and other types of digital files.
The tag is: misp-galaxy:dwva="Non Fungible Token"
Links |
Bulletproof Hosting
A (hosting) service that guarantees the availability of hosted resources even when they are found to be malicious or illegal.
The tag is: misp-galaxy:dwva="Bulletproof Hosting"
Darknet Wiki
Wiki services, including directory services for other hidden services, hosted in the Dark Web.
The tag is: misp-galaxy:dwva="Darknet Wiki"
Proof of Stake
In a Proof of Stake (PoS) network, users need to prove ownership of enough stakes to become validators. Ethereum (ETH) is moving from PoW to PoS. PoS offers several advantages over PoW: it is energy efficient, reduces hardware requirements and is less prone to centralisation
The tag is: misp-galaxy:dwva="Proof of Stake"
Multisig
Multisig refers to all the transactions that require two or more signatures. Multisignature transactions and addresses are validated only when at least x of the possible y signatories have signed. x and y are defined at creation.
The tag is: misp-galaxy:dwva="Multisig"
Zcash
A cryptocurrency with a decentralized Blockchain that provides anonymity for its users and their transactions. It is similar to Bitcoin as an open-source, but their major differences are the increased level of privacy it provides.
The tag is: misp-galaxy:dwva="Zcash"
Finalize Early
Buyers may "finalize early" (FE), releasing funds from escrow to the vendor prior to receiving their goods in order to expedite a transaction. This can be done when there is a trust relationship between vendor and buyer, however it does leave the buyer vulnerable to fraud if they choose to do so.
The tag is: misp-galaxy:dwva="Finalize Early"
Coin swapping
CoinSwap is a protocol to make a transaction via a third party to obfuscate the money flow. For instance, when Alice would like to pay Bob, Carol offers to receive Alice’s coin and pay Bob with an unconnected coin. While none of these parties trusts each other, this protocol does not allow Carol to rob Alice’s coin.
The tag is: misp-galaxy:dwva="Coin swapping"
Ripple
Ripple is a real-time gross settlement system, currency exchange and remittance network created by Ripple Labs Inc., a US-based technology company. (…) The ledger employs the native cryptocurrency known as XRP.
The tag is: misp-galaxy:dwva="Ripple"
Vendor
Someone who is selling something.
The tag is: misp-galaxy:dwva="Vendor"
Links |
Initial Coin Offering / Initial Crypto-Tokens Offering
Initial Coin Offerings (ICO) are public offers of new cryptocurrencies in exchange of existing ones, aimed to finance projects in the blockchain development arena. The typical pattern is for a startup to produce a white paper that describes their business model and technical approach. The white paper includes details about the functions that the tokens issued during the ICO will perform and the process of token creation.
The tag is: misp-galaxy:dwva="Initial Coin Offering / Initial Crypto-Tokens Offering"
Layer 2
Layer 2 is a collective term for solutions designed to help scale decentralised applications by handling transactions off the Ethereum mainnet (layer 1), while taking advantage of the robust decentralized security model of mainnet.
The tag is: misp-galaxy:dwva="Layer 2"
Links |
https://ethereum.org/en/developers/docs/scaling/layer-2-rollups |
Virtual Asset Service Provider
Virtual asset service provider means any natural or legal person who (…) as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i) exchange between virtual assets and fiat currencies; ii) exchange between one or more forms of virtual assets; iii) transfer of virtual assets; iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
The tag is: misp-galaxy:dwva="Virtual Asset Service Provider"
Decentralized Exchange
Same as exchange but in a completely distributed environment. There is no central hosting server and all nodes are servers.
The tag is: misp-galaxy:dwva="Decentralized Exchange"
Metadata
Refers to data that provides information about a certain item’s content. For example, an image may include information that describes how large the picture is or when the image was created, while a text document may contain information about the author of the document, or the IP address of the document’s author, and so on.
The tag is: misp-galaxy:dwva="Metadata"
Exit scam
An exit scam can be performed by a dark net martket or single vendor shop and is the process in which the one or more of the market admins prevents users withdrawing funds through the escrow system and then closes the market, exiting with all the bitcoins and other digital currencies they were holding in escrow.
The tag is: misp-galaxy:dwva="Exit scam"
Smart contract
A smart contract is a self-executing contract with the terms of the agreement between buyer and seller being directly written into lines of code. The code and the agreements contained therein exist across a distributed, decentralized blockchain network. The code controls the execution, and transactions are trackable and irreversible.
The tag is: misp-galaxy:dwva="Smart contract"
Service Provider
An actor that provides a service by making available and managing infrastructure or by executing a process
The tag is: misp-galaxy:dwva="Service Provider"
Administrator
An actor whose job it is to supervise the technical operation of a service
The tag is: misp-galaxy:dwva="Administrator"
Virtual Asset
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.
The tag is: misp-galaxy:dwva="Virtual Asset "
Shop
A shop is a service where products from one actor (the shop owner) are traded.
The tag is: misp-galaxy:dwva="Shop"
Hosted wallet
A digital account hosted by third party financial institution, known as Virtual Asset Service Provider(VASP), which allows the account-holder (the user) to store, send, and receive cryptocurrency.
The tag is: misp-galaxy:dwva="Hosted wallet"
Links |
https://home.treasury.gov/system/files/136/2020-12-18-FAQs.pdf |
.Onion
A special-use top level domain name designating an anonymous onion service, which was formerly known as a "hidden service". It is referred to as that because of the “layered” approach to relays on the Tor Browser.
The tag is: misp-galaxy:dwva=".Onion"
Bridge
Blockchain bridges enable interoperability between vastly different networks, such as Bitcoin and Ethereum, and between one parent blockchain and its sidechains.
The tag is: misp-galaxy:dwva="Bridge"
Links |
https://blog.makerdao.com/what-are-blockchain-bridges-and-why-are-they-important-for-defi/ |
Unhosted wallet
A wallet that is not hosted by a third-party financial system. It can be very difficult or impossible to determine who is accessing or in control of the use of cryptocurrencies in an unhosted wallet. Unhosted wallets allow for anonymity and concealment of illicit financial activity.
The tag is: misp-galaxy:dwva="Unhosted wallet"
Links |
https://home.treasury.gov/system/files/136/2020-12-18-FAQs.pdf |
Drop Ship
A vending tactic involving the vendor passing the buyer’s address on to another vendor to ship to, eliminating any need for the middleman (dropshipper) to handle anything illegal in person.
The tag is: misp-galaxy:dwva="Drop Ship"
Links |
DNM Bible Glossary[DNM Bible Glossary] |
Sidechain
A sidechain is a side blockchain that is linked to another blockchain, referred to as the main chain, via a two-way peg.
The tag is: misp-galaxy:dwva="Sidechain"
Links |
Flash Loan
A cryptocurrency loan executed trough a smart contract, with no collateral, that must be paid back in the same block. The purpose of a flash loan is to gain money through arbitrage (on different exchanges or different assets) without providing any collateral.
The tag is: misp-galaxy:dwva="Flash Loan"
Links |
Escrow
An escrow is a contractual arrangement in which a third party (the stakeholder or escrow agent) receives and disburses money or property for the primary transacting parties, with the disbursement dependent on conditions agreed to by the transacting parties.
The tag is: misp-galaxy:dwva="Escrow"
Proof of Work
Bitcoin blockchain is constructed and validated by computation. Miners work to validate the blockchain with their computation power, proving their work for a reward. The Bitcoin Blockchain is based on Proof-of-Work.
The tag is: misp-galaxy:dwva="Proof of Work"
Tumbler
A method of scrambling or anonymizing the source of one’s cryptocurrencies.
The tag is: misp-galaxy:dwva="Tumbler"
Unspent Transaction Output
An unspent transaction output of cryptocurrencies. This output is considered as an input to new transaction.
The tag is: misp-galaxy:dwva="Unspent Transaction Output"
Crypto-assets
A crypto-asset (…) is a digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a ledger existing in a form of a computerized database using strong cryptography to secure transaction records, to control the creation of additional coins, and to verify the transfer of coin ownership.
The tag is: misp-galaxy:dwva="Crypto-assets"
Bitcoin cash
Bitcoin Cash is a cryptocurrency that is a fork of Bitcoin. Bitcoin Cash is a spin-off or altcoin that was created in 2017.
The tag is: misp-galaxy:dwva="Bitcoin cash"
FIAT currencies
Fiat money is a currency (a medium of exchange) established as money, often by government regulation. Fiat money does not have intrinsic value and does not have use value. It has value only because a government maintains its value, or because parties engaging in exchange agree on its value.
The tag is: misp-galaxy:dwva="FIAT currencies"
Crypto ATM
A Bitcoin ATM (Automated Teller Machine) is a kiosk that allows a person to purchase Bitcoin and other cryptocurrencies by using cash or debit card. Some types of ATM also allow users to sell their cryptocurrency, dispensing cash in payment. Depending on the provider, the ATM can require KYC verification.
The tag is: misp-galaxy:dwva="Crypto ATM"
Ethereum
Ethereum is a decentralized, open-source blockchain with smart contract functionality. Ether (ETH) is the native cryptocurrency of the platform. It is the second-largest cryptocurrency by market capitalization, after Bitcoin. Ethereum is the most actively used blockchain.
The tag is: misp-galaxy:dwva="Ethereum"
Yield farming
A process that lets you earn either fixed or variable interest by investing crypto in a DeFi market.
The tag is: misp-galaxy:dwva="Yield farming"
Links |
https://decrypt.co/resources/what-is-yield-farming-beginners-guide |
Invisible Internet Protocol
An “anonymous overlay network” using the garlic routing protocol that encrypts multiple messages together to make data traffic analysis difficult, while simultaneously increasing network traffic speed. Each encrypted message has its own specific delivery instruction, and each endpoint works as a cryptographic identifier or what we refer to as “keys.” Since I2P is entirely peer-to-peer in structure, there’s no hard-coded trusted set of directory stores. Instead, the network directory of I2P is netDb, a distributed database that is replicated across the network.
The tag is: misp-galaxy:dwva="Invisible Internet Protocol"
Hidden Service
A collective name used to describe websites which require a special browser in order to access.
The tag is: misp-galaxy:dwva="Hidden Service"
Relay (node)
A relay is a node in the Tor network. When a request to access a particular hidden service is made, the browser calculates the optimal route through a series of relays, exchanging cryptographic keys between nodes, to display the content without disclosing the IP address of the request originator. Each relay decrypts a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing or knowing the source IP address.
The tag is: misp-galaxy:dwva="Relay (node)"
Bitcoin Improvement Proposals
Bitcoin improvement proposals, these are the equivalent of RFCs. They define the protocols and structures of Bitcoin. They are developed and maintained at the Bitcoin Github.
The tag is: misp-galaxy:dwva="Bitcoin Improvement Proposals"
Decentralized Finances
Smart Contracts on blockchains, DApps, mainly via the Ethereum technology and network. They are used to provide traditional financial services. The technology provides strong immunity against attackers and some level of anonymity and privacy. Transactions are confirmed relatively fast, but mostly lack KYC and AML compliance controls and offer limited to no user support and customer care. Current DeFi innovations include: Lending platforms; Prediction markets; Decentralised Exchange (DEXs); Staking and pooling platforms.
The tag is: misp-galaxy:dwva="Decentralized Finances"
Customer
The end user of a service. Customer would be paying for the services (buying good, using a service, owning an asset…).
The tag is: misp-galaxy:dwva="Customer"
Litecoin
Litecoin (LTC or Ł) is a peer-to-peer cryptocurrency and open-source software project released under the MIT/X11 license. Litecoin was an early bitcoin spinoff or altcoin, starting in October 2011. In technical details, Litecoin is nearly identical to Bitcoin.
The tag is: misp-galaxy:dwva="Litecoin"
Cyberterrorist
Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation.
The tag is: misp-galaxy:dwva="Cyberterrorist"
Tether
Tether is a controversial cryptocurrency with tokens issued by Tether Limited. It formerly falsely claimed that each token was backed by one United States dollar, but on 14 March 2019 changed the backing to include loans to affiliate companies.
The tag is: misp-galaxy:dwva="Tether"
Bank
A bank is a financial institution that accepts deposits from the public and creates a demand deposit while simultaneously making loans.
The tag is: misp-galaxy:dwva="Bank"
Monero
An open-source cryptocurrency created in April 2014 that focuses on fungibility, privacy and decentralization. Monero (XMR) uses an obfuscated public ledger, meaning anybody can broadcast or send transactions, but no outside observer can tell the source, amount or destination.
The tag is: misp-galaxy:dwva="Monero"
Binance Coin
BNB powers the Binance Ecosystem. As the native coin of Binance Chain, BNB has multiple use cases: fueling transactions on the Chain, paying for transaction fees on Binance Exchange, making in-store payments, and many more.
The tag is: misp-galaxy:dwva="Binance Coin"
Invisible Internet protocol network
A type of anonymity network similar to Tor, based on the Invisible Internet Project protocol.
The tag is: misp-galaxy:dwva="Invisible Internet protocol network"
Darknet market
A darknet market is a commercial website on the web that operates via darknets such as Tor or I2P. They function primarily as black markets, selling or brokering transactions involving drugs, cyber-arms, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids, and other illicit goods as well as the sale of legal products.
The tag is: misp-galaxy:dwva="Darknet market"
Pretty Good Privacy
An abbreviation for Pretty Good Privacy, an encryption program popular for encrypting emails and files. Through the use of public and private keys, it allows users who have never met to send encrypted messages etc. to each other without exchanging private encryption keys.
The tag is: misp-galaxy:dwva="Pretty Good Privacy"
Takedown notice
Notice and take down is a process operated by online hosts in response to court orders or allegations that content is illegal. Content is removed by the host following notice.
The tag is: misp-galaxy:dwva="Takedown notice"
Victim
Someone or something that has been hurt, damaged, or killed or has suffered, either because of the actions of someone or something else, or because of illness or chance.
The tag is: misp-galaxy:dwva="Victim"
Links |
Polkadot
Polkadot is a heterogeneous multi-chain interchange and translation architecture which enables customised side-chains to connect with public blockchains.
The tag is: misp-galaxy:dwva="Polkadot"
Bank credentials
Login credentials for e-services that are provided by financial institutions with a bank license.
The tag is: misp-galaxy:dwva="Bank credentials"
Money mule
A money mule, sometimes called a "smurfer," is a person who transfers money acquired illegally in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred.
The tag is: misp-galaxy:dwva="Money mule"
Internet Relay Chat
A text-based chat service enabling users connected to a server to communicate with each other in real-time.
The tag is: misp-galaxy:dwva="Internet Relay Chat"
Software wallet
A [software] cryptocurrency wallet is a (…) program or a service which stores the private keys for cryptocurrency transactions. It will normally also contain the associated public keys.
The tag is: misp-galaxy:dwva="Software wallet"
Cardano
Cardano is a public blockchain platform. It is open source and decentralized, with consensus achieved using proof of stake. It can facilitate peer-to-peer transactions with its internal cryptocurrency Ada.
The tag is: misp-galaxy:dwva="Cardano"
Dogecoin
Dogecoin (code: DOGE, symbol: Ð) is a cryptocurrency created by software engineers Billy Markus and Jackson Palmer, who decided to create a payment system that is instant, fun, and free from traditional banking fees.
The tag is: misp-galaxy:dwva="Dogecoin"
Exchange
Trading platform (commonly referred to as an “Exchange”) is the term within this paper used to describe any venue which facilitates the exchange of tokens for any form of money or asset. Trading platforms provide services to buy and sell tokens and/or for exchange of national (fiat) currencies backed by central banks.
The tag is: misp-galaxy:dwva="Exchange"
Blockchain
Blockchain is a distributed technology built under peer-to-peer network principles and cryptographic primitives, such as asymmetric encryption and digital signature. It allows trust-less users to exchange information and record transactions without external interference and coordination.
The tag is: misp-galaxy:dwva="Blockchain"
Darknet Email Service
Messaging services hosted or accessible via privacy enhanced networks.
The tag is: misp-galaxy:dwva="Darknet Email Service"
Credentials
A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so.
The tag is: misp-galaxy:dwva="Credentials"
Rug pull
A rug pull is a malicious maneuver in the cryptocurrency industry where crypto developers abandon a project and run away with investors’ funds
The tag is: misp-galaxy:dwva="Rug pull"
Links |
Moderator
A person who manages the discussion contributions in an online forum.
The tag is: misp-galaxy:dwva="Moderator"
TOR Network
A network of routers that adds encryption to conceal a web user’s location and usage so that these are resistant to surveillance and hence are truly anonymous. The domain names of these hidden sites all end in ‘.onion’ and they are only accessible by using a Tor browser. Tor stands for ‘The Onion Router’.
The tag is: misp-galaxy:dwva="TOR Network"
ZeroNet
One of the newest Darknets, becoming increasingly popular. It is a combination of trackerless Bittorrent and a Blockchain for persistent site and user identity. ZeroNet optionally uses the Tor network as a virtual private network. As a full mesh network, all clients are also servers. By browsing to a “zite” as they are known in ZeroNet lingo, the machine used automatically becomes one of the servers for this zite also.
The tag is: misp-galaxy:dwva="ZeroNet"
Dead drop
The dead drop is a delivery model used by some vendors to distribute their products. A vendor uses a ‘dropman’ to hide consignments of pre-packaged drug deals in a number of suitably discreet offline locations. When a buyer makes a purchase from the vendor the geo-coordinates are provided to them for them to collect their order.
The tag is: misp-galaxy:dwva="Dead drop"
Coinjoin
Coinjoin is a method of mixing cryptocurrency tokens or coins, where two or more user transactions are combined into a single transaction on the blockchain, with multiple inputs and outputs. The concept behind that methodology is to obfuscate the link between an input and an output that would otherwise be apparent in a standard, single-user transaction. The coinjoin methodology is open-source and integrated into some software wallets, and is also available for use via a hosted online service.
The tag is: misp-galaxy:dwva="Coinjoin"
Paste site/service
A pastebin or text storage site is a type of online content hosting service where users can store plain text, e.g. to source code snippets for code review via Internet Relay Chat (IRC).
The tag is: misp-galaxy:dwva="Paste site/service"
Deep Web
The deep web, invisible web, or hidden web are parts of the World Wide Web whose contents are not indexed by standard web search-engines.
The tag is: misp-galaxy:dwva="Deep Web"
Cryptocurrencies User
(User of) Decentralized virtual currency that employs cryptography to accomplish tamper-resistance.
The tag is: misp-galaxy:dwva="Cryptocurrencies User"
Flash loan attack
An attack to a DeFi protocol that exploits vulnerabilities in the flash loan system
The tag is: misp-galaxy:dwva="Flash loan attack"
Privacy coin
Privacy coins are a class of cryptocurrencies that power private and anonymous blockchain transactions by obscuring their origin and destination. Some of the techniques used include hiding a user’s real wallet balance and address, and mixing multiple transactions with each other to elude chain analysis.
The tag is: misp-galaxy:dwva="Privacy coin"
Peer-to-peer exchange
The exchange or sharing of information, data, or assets between parties without the involvement of a central authority. Peer-to-peer, or P2P, takes a decentralized approach to interactions between individuals and groups. This approach has been used in computers and networking (peer-to-peer file sharing), as well as with virtual assets trading.
The tag is: misp-galaxy:dwva="Peer-to-peer exchange"
Proxy
A virtual service that changes users’ IP addresses when using the Internet.
The tag is: misp-galaxy:dwva="Proxy"
Scam
Scam denotes a fraudulent or deceptive act or operation.
The tag is: misp-galaxy:dwva="Scam"
Links |
Sextortion
Sextortion refers to the broad category of sexual exploitation in which abuse of power is the means of coercion, as well as to the category of sexual exploitation in which threatened release of sexual images or information is the means of coercion.
The tag is: misp-galaxy:dwva="Sextortion"
Links |
Phishing
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
The tag is: misp-galaxy:dwva="Phishing"
Links |
Service Hack
A service hack denotes the digital intrusion into a service with the goal to steal funds.
The tag is: misp-galaxy:dwva="Service Hack"
Ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
The tag is: misp-galaxy:dwva="Ransomware"
Links |
Ponzi Scheme
A Ponzi scheme is a form of fraud that lures investors and pays profits to earlier investors with funds from more recent investors
The tag is: misp-galaxy:dwva="Ponzi Scheme"
Links |
Malpedia
Malware galaxy cluster based on Malpedia..
Malpedia is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Davide Arcuri - Alexandre Dulaunoy - Steffen Enders - Andrea Garavaglia - Andras Iklody - Daniel Plohmann - Christophe Vandeplas
FastCash
The tag is: misp-galaxy:malpedia="FastCash"
FastCash is also known as:
888 RAT
The tag is: misp-galaxy:malpedia="888 RAT"
888 RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat |
https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/ |
Aberebot
The tag is: misp-galaxy:malpedia="Aberebot"
Aberebot is also known as:
-
Escobar
AbstractEmu
According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.
The tag is: misp-galaxy:malpedia="AbstractEmu"
AbstractEmu is also known as:
ActionSpy
The tag is: misp-galaxy:malpedia="ActionSpy"
ActionSpy is also known as:
-
AxeSpy
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy |
https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/ |
AdoBot
The tag is: misp-galaxy:malpedia="AdoBot"
AdoBot is also known as:
Links |
https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord |
https://twitter.com/LukasStefanko/status/1243198756981559296 |
AdultSwine
The tag is: misp-galaxy:malpedia="AdultSwine"
AdultSwine is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine |
https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/ |
Agent Smith
The tag is: misp-galaxy:malpedia="Agent Smith"
Agent Smith is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.agentsmith |
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/ |
AhMyth
According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.
The tag is: misp-galaxy:malpedia="AhMyth"
AhMyth is also known as:
Alien
According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.
The tag is: misp-galaxy:malpedia="Alien"
Alien is also known as:
-
AlienBot
AmexTroll
The tag is: misp-galaxy:malpedia="AmexTroll"
AmexTroll is also known as:
AmpleBot
This malware was initially named BlackRock and later renamed to AmpleBot.
The tag is: misp-galaxy:malpedia="AmpleBot"
AmpleBot is also known as:
-
BlackRock
Anatsa
The tag is: misp-galaxy:malpedia="Anatsa"
Anatsa is also known as:
-
ReBot
-
TeaBot
-
Toddler
AndroRAT
Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.
The tag is: misp-galaxy:malpedia="AndroRAT"
AndroRAT is also known as:
ANDROSNATCH
According to Google, a Chrome cookie stealer.
The tag is: misp-galaxy:malpedia="ANDROSNATCH"
ANDROSNATCH is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.androsnatch |
Anubis (Android)
BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app’s login screen to make victims think it’s a legitimate login form when in reality, inputted credentials are sent to the attackers.
In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:
Recording screen activity and sound from the microphone Implementing a SOCKS5 proxy for covert communication and package delivery Capturing screenshots Sending mass SMS messages from the device to specified recipients Retrieving contacts stored on the device Sending, reading, deleting, and blocking notifications for SMS messages received by the device Scanning the device for files of interest to exfiltrate Locking the device screen and displaying a persistent ransom note Submitting USSD code requests to query bank balances Capturing GPS data and pedometer statistics Implementing a keylogger to steal credentials Monitoring active apps to mimic and perform overlay attacks Stopping malicious functionality and removing the malware from the device
The tag is: misp-galaxy:malpedia="Anubis (Android)"
Anubis (Android) is also known as:
-
BankBot
-
android.bankbot
-
android.bankspy
AnubisSpy
The tag is: misp-galaxy:malpedia="AnubisSpy"
AnubisSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy |
Asacub
The tag is: misp-galaxy:malpedia="Asacub"
Asacub is also known as:
Links |
https://securelist.com/the-rise-of-mobile-banker-asacub/87591/ |
Ashas
The tag is: misp-galaxy:malpedia="Ashas"
Ashas is also known as:
Links |
https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/ |
ATANK
According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.
The tag is: misp-galaxy:malpedia="ATANK"
ATANK is also known as:
Links |
https://twitter.com/LukasStefanko/status/1268070798293708800 |
AxBanker
According to EnigmaSoft, AxBanker is a banking Trojan targeting Android devices specifically. The threatening tool has been deployed as part of large attack campaigns against users in India. The threat actors use smishing (SMS phishing) techniques to smuggle the malware threat onto the victims' devices. The fake applications carrying AxBanker are designed to visually impersonate the official applications of popular Indian banking organizations. The weaponized applications use fake promises or rewards and discounts as additional lures.
The tag is: misp-galaxy:malpedia="AxBanker"
AxBanker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.axbanker |
https://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks |
badbazaar
BadBazaar is a type of malware primarily functioning as a banking Trojan. Designed to compromise Android devices, it is often distributed through malicious apps downloaded from unofficial app stores or third-party websites. Once installed, BadBazaar seeks to steal financial information and login credentials by intercepting SMS messages, performing screen recordings, and logging keystrokes on the device. Additionally, it can execute remote commands and download and install other malicious applications, further compromising the security of the affected device.
The tag is: misp-galaxy:malpedia="badbazaar"
badbazaar is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badbazaar |
https://www.lookout.com/threat-intelligence/article/badbazaar-surveillanceware-apt15 |
BADCALL (Android)
remote access tool (RAT) payload on Android devices
The tag is: misp-galaxy:malpedia="BADCALL (Android)"
BADCALL (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall |
BadPatch
The tag is: misp-galaxy:malpedia="BadPatch"
BadPatch is also known as:
-
WelcomeChat
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch |
https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/ |
Bahamut (Android)
According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.
The tag is: misp-galaxy:malpedia="Bahamut (Android)"
Bahamut (Android) is also known as:
Basbanke
The tag is: misp-galaxy:malpedia="Basbanke"
Basbanke is also known as:
BianLian (Android)
The tag is: misp-galaxy:malpedia="BianLian (Android)"
BianLian (Android) is also known as:
-
Hydra
BingoMod
The tag is: misp-galaxy:malpedia="BingoMod"
BingoMod is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bingomod |
https://www.cleafy.com/cleafy-labs/bingomod-the-new-android-rat-that-steals-money-and-wipes-data |
BlankBot
The tag is: misp-galaxy:malpedia="BlankBot"
BlankBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.blankbot |
BrasDex
According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.
At the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.
The tag is: misp-galaxy:malpedia="BrasDex"
BrasDex is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex |
https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html |
BRATA
According to Cleafy, the victim’s Android device is factory reset after the attackers siphon money from the victim’s bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.
The tag is: misp-galaxy:malpedia="BRATA"
BRATA is also known as:
-
AmexTroll
-
Copybara
Brunhilda
PRODAFT describes Brunhilda as a "Dropper as a Service" for Google Play, delivering e.g. Alien.
The tag is: misp-galaxy:malpedia="Brunhilda"
Brunhilda is also known as:
BusyGasper
The tag is: misp-galaxy:malpedia="BusyGasper"
BusyGasper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper |
CapraRAT
According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.
The tag is: misp-galaxy:malpedia="CapraRAT"
CapraRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat |
CarbonSteal
The tag is: misp-galaxy:malpedia="CarbonSteal"
CarbonSteal is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal |
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf |
Catelites
Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.
The tag is: misp-galaxy:malpedia="Catelites"
Catelites is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites |
https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang |
Cerberus
According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.
The tag is: misp-galaxy:malpedia="Cerberus"
Cerberus is also known as:
Chameleon
The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.
The tag is: misp-galaxy:malpedia="Chameleon"
Chameleon is also known as:
Chamois
The tag is: misp-galaxy:malpedia="Chamois"
Chamois is also known as:
Charger
The tag is: misp-galaxy:malpedia="Charger"
Charger is also known as:
Chinotto (Android)
The tag is: misp-galaxy:malpedia="Chinotto (Android)"
Chinotto (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chinotto |
https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/ |
Chrysaor
The tag is: misp-galaxy:malpedia="Chrysaor"
Chrysaor is also known as:
-
JigglyPuff
-
Pegasus
Clientor
The tag is: misp-galaxy:malpedia="Clientor"
Clientor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor |
https://twitter.com/LukasStefanko/status/1042297855602503681 |
Clipper
The tag is: misp-galaxy:malpedia="Clipper"
Clipper is also known as:
CloudAtlas
The tag is: misp-galaxy:malpedia="CloudAtlas"
CloudAtlas is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas |
CometBot
The tag is: misp-galaxy:malpedia="CometBot"
CometBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot |
https://twitter.com/LukasStefanko/status/1102937833071935491 |
Connic
The tag is: misp-galaxy:malpedia="Connic"
Connic is also known as:
-
SpyBanker
Links |
https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/ |
Coper
Coper is a descendant of ExoBotCompat, which was a rewritten version of Exobot. Malicious Coper apps have a modular architecture and a multi-stage infection mechanism. Coper has originally been spotted in Colombia but has since emerged in Europa as well.
The tag is: misp-galaxy:malpedia="Coper"
Coper is also known as:
-
ExobotCompact
-
Octo
Copybara
The tag is: misp-galaxy:malpedia="Copybara"
Copybara is also known as:
Coronavirus Android Worm
Poses as an app that can offer a "corona safety mask" but phone’s address book and sends sms to contacts, spreading its own download link.
The tag is: misp-galaxy:malpedia="Coronavirus Android Worm"
Coronavirus Android Worm is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm |
Cpuminer (Android)
The tag is: misp-galaxy:malpedia="Cpuminer (Android)"
Cpuminer (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer |
CraxsRAT
The tag is: misp-galaxy:malpedia="CraxsRAT"
CraxsRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.craxs_rat |
CryCryptor
According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.
When CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.
When files have been encrypted, a notification is displayed directing users to open the ransom note.
The tag is: misp-galaxy:malpedia="CryCryptor"
CryCryptor is also known as:
-
CryCrypter
-
CryDroid
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor |
CyberAzov
The tag is: misp-galaxy:malpedia="CyberAzov"
CyberAzov is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cyber_azov |
https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag |
DAAM
According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.
Lookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).
The tag is: misp-galaxy:malpedia="DAAM"
DAAM is also known as:
-
BouldSpy
Links |
Dark Shades
The tag is: misp-galaxy:malpedia="Dark Shades"
Dark Shades is also known as:
-
Rogue
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades |
https://twitter.com/LukasStefanko/status/1252163657036976129 |
DawDropper
The tag is: misp-galaxy:malpedia="DawDropper"
DawDropper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dawdropper |
DEFENSOR ID
The tag is: misp-galaxy:malpedia="DEFENSOR ID"
DEFENSOR ID is also known as:
-
Defensor Digital
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id |
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf |
Dendroid
The tag is: misp-galaxy:malpedia="Dendroid"
Dendroid is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid |
dmsSpy
The tag is: misp-galaxy:malpedia="dmsSpy"
dmsSpy is also known as:
Links |
https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/ |
DoubleAgent
The tag is: misp-galaxy:malpedia="DoubleAgent"
DoubleAgent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent |
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf |
DoubleLocker
The tag is: misp-galaxy:malpedia="DoubleLocker"
DoubleLocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker |
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/ |
Dracarys
Android malware that impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.
The tag is: misp-galaxy:malpedia="Dracarys"
Dracarys is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dracarys |
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/ |
DragonEgg
Android variant of ios.LightSpy.
The tag is: misp-galaxy:malpedia="DragonEgg"
DragonEgg is also known as:
-
LightSpy
DroidJack
The tag is: misp-galaxy:malpedia="DroidJack"
DroidJack is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack |
https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic |
DroidWatcher
The tag is: misp-galaxy:malpedia="DroidWatcher"
DroidWatcher is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidwatcher |
DualToy (Android)
The tag is: misp-galaxy:malpedia="DualToy (Android)"
DualToy (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy |
Dvmap
The tag is: misp-galaxy:malpedia="Dvmap"
Dvmap is also known as:
Links |
https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/ |
Elibomi
The tag is: misp-galaxy:malpedia="Elibomi"
Elibomi is also known as:
-
Drinik
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.elibomi |
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/ |
ERMAC
According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user’s credentials
The tag is: misp-galaxy:malpedia="ERMAC"
ERMAC is also known as:
ErrorFather
ErrorFather is an Android banking trojan with a multi-stage dropper. The final payload is derived from the Cerberus source code leak.
The tag is: misp-galaxy:malpedia="ErrorFather"
ErrorFather is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.errorfather |
https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/ |
Eventbot
According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.
The tag is: misp-galaxy:malpedia="Eventbot"
Eventbot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot |
https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born |
ExoBot
The tag is: misp-galaxy:malpedia="ExoBot"
ExoBot is also known as:
Links |
https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html |
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/ |
Exodus
The tag is: misp-galaxy:malpedia="Exodus"
Exodus is also known as:
Links |
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf |
https://securitywithoutborders.org/blog/2019/03/29/exodus.html |
FaceStealer
Facebook Credential Stealer.
The tag is: misp-galaxy:malpedia="FaceStealer"
FaceStealer is also known as:
FakeAdBlocker
The tag is: misp-galaxy:malpedia="FakeAdBlocker"
FakeAdBlocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker |
Fakecalls
According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.
The tag is: misp-galaxy:malpedia="Fakecalls"
Fakecalls is also known as:
FakeDefend
The tag is: misp-galaxy:malpedia="FakeDefend"
FakeDefend is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakedefend |
https://www.fortiguard.com/encyclopedia/virus/5543975/android-fakedefend-c-tr |
FakeSpy
The tag is: misp-galaxy:malpedia="FakeSpy"
FakeSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy |
FakeGram
The tag is: misp-galaxy:malpedia="FakeGram"
FakeGram is also known as:
-
FakeTGram
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram |
https://blog.talosintelligence.com/2018/11/persian-stalker.html |
FastFire
The tag is: misp-galaxy:malpedia="FastFire"
FastFire is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastfire |
FastSpy
The tag is: misp-galaxy:malpedia="FastSpy"
FastSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastspy |
FileCoder
According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.
The tag is: misp-galaxy:malpedia="FileCoder"
FileCoder is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder |
https://www.welivesecurity.com/2019/07/29/android-ransomware-back/ |
FinFisher (Android)
The tag is: misp-galaxy:malpedia="FinFisher (Android)"
FinFisher (Android) is also known as:
FlexiSpy (Android)
The tag is: misp-galaxy:malpedia="FlexiSpy (Android)"
FlexiSpy (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy |
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
FlexNet
The tag is: misp-galaxy:malpedia="FlexNet"
FlexNet is also known as:
-
gugi
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet |
FluBot
PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.
The tag is: misp-galaxy:malpedia="FluBot"
FluBot is also known as:
-
Cabassous
-
FakeChat
FluHorse
According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.
The tag is: misp-galaxy:malpedia="FluHorse"
FluHorse is also known as:
FlyTrap
Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.
The tag is: misp-galaxy:malpedia="FlyTrap"
FlyTrap is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap |
https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/ |
FunkyBot
The tag is: misp-galaxy:malpedia="FunkyBot"
FunkyBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot |
https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html |
FurBall
According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.
The tag is: misp-galaxy:malpedia="FurBall"
FurBall is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball |
https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/ |
Geost
The tag is: misp-galaxy:malpedia="Geost"
Geost is also known as:
Links |
Ghimob
The tag is: misp-galaxy:malpedia="Ghimob"
Ghimob is also known as:
Links |
https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/ |
GhostCtrl
The tag is: misp-galaxy:malpedia="GhostCtrl"
GhostCtrl is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl |
Gigabud
Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim’s screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.
The tag is: misp-galaxy:malpedia="Gigabud"
Gigabud is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gigabud |
https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/ |
Ginp
Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:
Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.
The tag is: misp-galaxy:malpedia="Ginp"
Ginp is also known as:
GlanceLove
The tag is: misp-galaxy:malpedia="GlanceLove"
GlanceLove is also known as:
GnatSpy
The tag is: misp-galaxy:malpedia="GnatSpy"
GnatSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gnatspy |
https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html |
GoatRAT
The tag is: misp-galaxy:malpedia="GoatRAT"
GoatRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goat_rat |
https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/ |
Godfather
According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.
The tag is: misp-galaxy:malpedia="Godfather"
Godfather is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather |
https://brandefense.io/blog/godfather-android-banking-trojan/ |
GoldenEagle
The tag is: misp-galaxy:malpedia="GoldenEagle"
GoldenEagle is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle |
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf |
GoldenRAT
The tag is: misp-galaxy:malpedia="GoldenRAT"
GoldenRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat |
GoldDigger
The tag is: misp-galaxy:malpedia="GoldDigger"
GoldDigger is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gold_digger |
goontact
The tag is: misp-galaxy:malpedia="goontact"
goontact is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact |
https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail |
GPlayed
Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.
The tag is: misp-galaxy:malpedia="GPlayed"
GPlayed is also known as:
Gravity RAT (Android)
The tag is: misp-galaxy:malpedia="Gravity RAT (Android)"
Gravity RAT (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gravity_rat |
GriftHorse
The tag is: misp-galaxy:malpedia="GriftHorse"
GriftHorse is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.grifthorse |
Guerrilla
The tag is: misp-galaxy:malpedia="Guerrilla"
Guerrilla is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.guerrilla |
Gustuff
Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.
The tag is: misp-galaxy:malpedia="Gustuff"
Gustuff is also known as:
HARDRAIN (Android)
The tag is: misp-galaxy:malpedia="HARDRAIN (Android)"
HARDRAIN (Android) is also known as:
HawkShaw
The tag is: misp-galaxy:malpedia="HawkShaw"
HawkShaw is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw |
https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw |
HenBox
The tag is: misp-galaxy:malpedia="HenBox"
HenBox is also known as:
Links |
https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/ |
https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/ |
Hermit
Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.
The tag is: misp-galaxy:malpedia="Hermit"
Hermit is also known as:
Links |
https://www.lighthousereports.nl/investigation/revealing-europes-nso |
HeroRAT
The tag is: misp-galaxy:malpedia="HeroRAT"
HeroRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat |
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/ |
HiddenAd
HiddenAd is a malware that shows ads as overlays on the phone.
The tag is: misp-galaxy:malpedia="HiddenAd"
HiddenAd is also known as:
HilalRAT
RAT, which can be used to extract sensitive information, e.g. contact lists, txt messages, location information.
The tag is: misp-galaxy:malpedia="HilalRAT"
HilalRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hilalrat |
https://thehackernews.com/2022/04/microsoft-obtains-court-order-to-take.html |
Hook
According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.
The tag is: misp-galaxy:malpedia="Hook"
Hook is also known as:
Hydra
Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.
The tag is: misp-galaxy:malpedia="Hydra"
Hydra is also known as:
IPStorm (Android)
Android variant of IPStorm (InterPlanetary Storm).
The tag is: misp-galaxy:malpedia="IPStorm (Android)"
IPStorm (Android) is also known as:
-
InterPlanetary Storm
IRATA
According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.
The tag is: misp-galaxy:malpedia="IRATA"
IRATA is also known as:
Links |
IRRat
The tag is: misp-galaxy:malpedia="IRRat"
IRRat is also known as:
Links |
JadeRAT
The tag is: misp-galaxy:malpedia="JadeRAT"
JadeRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat |
Joker
Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.
The tag is: misp-galaxy:malpedia="Joker"
Joker is also known as:
-
Bread
KevDroid
The tag is: misp-galaxy:malpedia="KevDroid"
KevDroid is also known as:
KnSpy
The tag is: misp-galaxy:malpedia="KnSpy"
KnSpy is also known as:
Koler
The tag is: misp-galaxy:malpedia="Koler"
Koler is also known as:
Links |
Konni (Android)
The tag is: misp-galaxy:malpedia="Konni (Android)"
Konni (Android) is also known as:
Links |
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11 |
KSREMOTE
The tag is: misp-galaxy:malpedia="KSREMOTE"
KSREMOTE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote |
LittleLooter
The tag is: misp-galaxy:malpedia="LittleLooter"
LittleLooter is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter |
https://twitter.com/malwrhunterteam/status/1337684036374945792 |
Loki
The tag is: misp-galaxy:malpedia="Loki"
Loki is also known as:
Links |
http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/ |
LokiBot
Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.
The tag is: misp-galaxy:malpedia="LokiBot"
LokiBot is also known as:
LuckyCat
The tag is: misp-galaxy:malpedia="LuckyCat"
LuckyCat is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat |
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html |
Mandrake
The tag is: misp-galaxy:malpedia="Mandrake"
Mandrake is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake |
Marcher
The tag is: misp-galaxy:malpedia="Marcher"
Marcher is also known as:
-
ExoBot
MasterFred
According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.
The tag is: misp-galaxy:malpedia="MasterFred"
MasterFred is also known as:
-
Brox
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred |
https://twitter.com/AvastThreatLabs/status/1458162276708483073 |
MazarBot
The tag is: misp-galaxy:malpedia="MazarBot"
MazarBot is also known as:
Medusa (Android)
According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.
The tag is: misp-galaxy:malpedia="Medusa (Android)"
Medusa (Android) is also known as:
-
Gorgona
Meterpreter (Android)
The tag is: misp-galaxy:malpedia="Meterpreter (Android)"
Meterpreter (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter |
MobileOrder
Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.
The tag is: misp-galaxy:malpedia="MobileOrder"
MobileOrder is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mobile_order |
Monokle
Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.
The tag is: misp-galaxy:malpedia="Monokle"
Monokle is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle |
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf |
MoqHao
The tag is: misp-galaxy:malpedia="MoqHao"
MoqHao is also known as:
-
Shaoye
-
XLoader
MOrder RAT
The tag is: misp-galaxy:malpedia="MOrder RAT"
MOrder RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.morder_rat |
Mudwater
The tag is: misp-galaxy:malpedia="Mudwater"
Mudwater is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater |
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf |
MysteryBot
MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.
The tag is: misp-galaxy:malpedia="MysteryBot"
MysteryBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot |
Nexus
The tag is: misp-galaxy:malpedia="Nexus"
Nexus is also known as:
Links |
https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet |
https://liansecurity.com//main/news/RWt_ZocBrFZDfCElFqw_/detail |
OmniRAT
The tag is: misp-galaxy:malpedia="OmniRAT"
OmniRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat |
https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT |
Oscorp
The tag is: misp-galaxy:malpedia="Oscorp"
Oscorp is also known as:
-
UBEL
Links |
https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/ |
PackChat
The tag is: misp-galaxy:malpedia="PackChat"
PackChat is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat |
https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/ |
PhantomLance
The tag is: misp-galaxy:malpedia="PhantomLance"
PhantomLance is also known as:
-
PWNDROID1
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance |
https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view |
Phoenix
The tag is: misp-galaxy:malpedia="Phoenix"
Phoenix is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phoenix |
https://cryptax.medium.com/reverse-engineering-of-android-phoenix-b59693c03bd3 |
PhoneSpy
According to Zimperium, PhoneSpy is a spyware aimed at South Korean residents with Android devices.
The tag is: misp-galaxy:malpedia="PhoneSpy"
PhoneSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phonespy |
https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/ |
PINEFLOWER
According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.
The tag is: misp-galaxy:malpedia="PINEFLOWER"
PINEFLOWER is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower |
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/ |
PixPirate
According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.
In addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.
The tag is: misp-galaxy:malpedia="PixPirate"
PixPirate is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixpirate |
https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan |
PixStealer
The tag is: misp-galaxy:malpedia="PixStealer"
PixStealer is also known as:
-
BrazKing
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixstealer |
https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/ |
PjobRAT
The tag is: misp-galaxy:malpedia="PjobRAT"
PjobRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat |
Podec
The tag is: misp-galaxy:malpedia="Podec"
Podec is also known as:
Links |
X-Agent (Android)
The tag is: misp-galaxy:malpedia="X-Agent (Android)"
X-Agent (Android) is also known as:
-
Popr-d30
Fake Pornhub
The tag is: misp-galaxy:malpedia="Fake Pornhub"
Fake Pornhub is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub |
Premier RAT
The tag is: misp-galaxy:malpedia="Premier RAT"
Premier RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat |
https://twitter.com/LukasStefanko/status/1084774825619537925 |
Rafel RAT
The tag is: misp-galaxy:malpedia="Rafel RAT"
Rafel RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rafelrat |
https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/ |
RambleOn
The tag is: misp-galaxy:malpedia="RambleOn"
RambleOn is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rambleon |
Rana
The tag is: misp-galaxy:malpedia="Rana"
Rana is also known as:
Links |
RatMilad
RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East. The malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware.
The tag is: misp-galaxy:malpedia="RatMilad"
RatMilad is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ratmilad |
https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices |
Raxir
The tag is: misp-galaxy:malpedia="Raxir"
Raxir is also known as:
Links |
https://twitter.com/PhysicalDrive0/statuses/798825019316916224 |
RedAlert2
RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.
The tag is: misp-galaxy:malpedia="RedAlert2"
RedAlert2 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2 |
https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html |
RemRAT
The tag is: misp-galaxy:malpedia="RemRAT"
RemRAT is also known as:
Links |
Retefe (Android)
The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.
The tag is: misp-galaxy:malpedia="Retefe (Android)"
Retefe (Android) is also known as:
Revive
According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.
The tag is: misp-galaxy:malpedia="Revive"
Revive is also known as:
Links |
https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan |
Riltok
The tag is: misp-galaxy:malpedia="Riltok"
Riltok is also known as:
Links |
https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 |
Roaming Mantis
The tag is: misp-galaxy:malpedia="Roaming Mantis"
Roaming Mantis is also known as:
Rogue
The tag is: misp-galaxy:malpedia="Rogue"
Rogue is also known as:
Links |
Rootnik
The tag is: misp-galaxy:malpedia="Rootnik"
Rootnik is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik |
Sauron Locker
The tag is: misp-galaxy:malpedia="Sauron Locker"
Sauron Locker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker |
https://twitter.com/LukasStefanko/status/1117795290155819008 |
SharkBot
SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.
The tag is: misp-galaxy:malpedia="SharkBot"
SharkBot is also known as:
SideWinder (Android)
SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.
The tag is: misp-galaxy:malpedia="SideWinder (Android)"
SideWinder (Android) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sidewinder |
SilkBean
The tag is: misp-galaxy:malpedia="SilkBean"
SilkBean is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean |
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf |
Skygofree
The tag is: misp-galaxy:malpedia="Skygofree"
Skygofree is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree |
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ |
Slempo
The tag is: misp-galaxy:malpedia="Slempo"
Slempo is also known as:
-
SlemBunk
Links |
https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html |
Slocker
The tag is: misp-galaxy:malpedia="Slocker"
Slocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker |
SmsAgent
The tag is: misp-galaxy:malpedia="SmsAgent"
SmsAgent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent |
SMSspy
The tag is: misp-galaxy:malpedia="SMSspy"
SMSspy is also known as:
Links |
SoumniBot
The tag is: misp-galaxy:malpedia="SoumniBot"
SoumniBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.soumnibot |
https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/ |
S.O.V.A.
The tag is: misp-galaxy:malpedia="S.O.V.A."
S.O.V.A. is also known as:
SpyBanker
The tag is: misp-galaxy:malpedia="SpyBanker"
SpyBanker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker |
SpyC23
The tag is: misp-galaxy:malpedia="SpyC23"
SpyC23 is also known as:
Links |
https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/ |
SpyMax
SpyMax is a popular Android surveillance tool. Its predecessor, SpyNote, was one of the most widely used spyware frameworks.
The tag is: misp-galaxy:malpedia="SpyMax"
SpyMax is also known as:
SpyNote
The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code
The tag is: misp-galaxy:malpedia="SpyNote"
SpyNote is also known as:
-
CypherRat
StealthAgent
The tag is: misp-galaxy:malpedia="StealthAgent"
StealthAgent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent |
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF |
Stealth Mango
The tag is: misp-galaxy:malpedia="Stealth Mango"
Stealth Mango is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango |
Svpeng
The tag is: misp-galaxy:malpedia="Svpeng"
Svpeng is also known as:
Links |
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ |
Switcher
The tag is: misp-galaxy:malpedia="Switcher"
Switcher is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher |
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/ |
TalentRAT
The tag is: misp-galaxy:malpedia="TalentRAT"
TalentRAT is also known as:
-
Assassin RAT
TangleBot
The tag is: misp-galaxy:malpedia="TangleBot"
TangleBot is also known as:
TeleRAT
The tag is: misp-galaxy:malpedia="TeleRAT"
TeleRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat |
TemptingCedar Spyware
The tag is: misp-galaxy:malpedia="TemptingCedar Spyware"
TemptingCedar Spyware is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar |
https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware |
ThiefBot
The tag is: misp-galaxy:malpedia="ThiefBot"
ThiefBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot |
https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/ |
TianySpy
According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.
The tag is: misp-galaxy:malpedia="TianySpy"
TianySpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy |
TinyZ
The tag is: misp-galaxy:malpedia="TinyZ"
TinyZ is also known as:
-
Catelites Android Bot
-
MarsElite Android Bot
Links |
Titan
The tag is: misp-galaxy:malpedia="Titan"
Titan is also known as:
Links |
https://www.alienvault.com/blogs/labs-research/delivery-keyboy |
ToxicPanda
The tag is: misp-galaxy:malpedia="ToxicPanda"
ToxicPanda is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.toxic_panda |
https://www.cleafy.com/cleafy-labs/toxicpanda-a-new-banking-trojan-from-asia-hit-europe-and-latam |
Triada
The tag is: misp-galaxy:malpedia="Triada"
Triada is also known as:
TrickMo
TrickMo is an advanced banking trojan for Android. Starting out as a companion malware to TrickBot in 2020, it first became a standalone banking trojan by addition of overlay attacks in 2021 and was later (2024) upgraded with remote control capabilities for on-device fraud. The continued development and progressively improved obfuscation suggests an active Threat Actor.
The tag is: misp-galaxy:malpedia="TrickMo"
TrickMo is also known as:
Triout
Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.
The tag is: misp-galaxy:malpedia="Triout"
Triout is also known as:
Links |
UltimaSMS
The tag is: misp-galaxy:malpedia="UltimaSMS"
UltimaSMS is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ultima_sms |
https://blog.avast.com/premium-sms-scam-apps-on-play-store-avast |
Unidentified APK 001
The tag is: misp-galaxy:malpedia="Unidentified APK 001"
Unidentified APK 001 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001 |
Unidentified APK 002
The tag is: misp-galaxy:malpedia="Unidentified APK 002"
Unidentified APK 002 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002 |
Unidentified APK 004
According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.
The tag is: misp-galaxy:malpedia="Unidentified APK 004"
Unidentified APK 004 is also known as:
Unidentified APK 005
The tag is: misp-galaxy:malpedia="Unidentified APK 005"
Unidentified APK 005 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005 |
Unidentified APK 006
Information stealer posing as a fake banking app, targeting Korean users.
The tag is: misp-galaxy:malpedia="Unidentified APK 006"
Unidentified APK 006 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006 |
https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20 |
Unidentified 007 (ARMAAN RAT)
According to Cyble, this is an Android application that pretends to be the legitimate application for the Army Mobile Aadhaar App Network (ARMAAN), intended to be used by Indian army personnel. The application was customized to include RAT functionality.
The tag is: misp-galaxy:malpedia="Unidentified 007 (ARMAAN RAT)"
Unidentified 007 (ARMAAN RAT) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_007 |
https://blog.cyble.com/2022/01/28/indian-army-personnel-face-remote-access-trojan-attacks/ |
Unidentified APK 008
Android malware distributed through fake shopping websites targeting Malaysian users, targeting banking information.
The tag is: misp-galaxy:malpedia="Unidentified APK 008"
Unidentified APK 008 is also known as:
Unidentified APK 009 (Chrome Recon)
According to Google, a Chrome reconnaissance payload
The tag is: misp-galaxy:malpedia="Unidentified APK 009 (Chrome Recon)"
Unidentified APK 009 (Chrome Recon) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_009 |
VajraSpy
The tag is: misp-galaxy:malpedia="VajraSpy"
VajraSpy is also known as:
vamp
Related to the micropsia windows malware and also sometimes named micropsia.
The tag is: misp-galaxy:malpedia="vamp"
vamp is also known as:
-
android.micropsia
Links |
https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/ |
VINETHORN
According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.
The tag is: misp-galaxy:malpedia="VINETHORN"
VINETHORN is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn |
https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/ |
Viper RAT
The tag is: misp-galaxy:malpedia="Viper RAT"
Viper RAT is also known as:
Vultur
The tag is: misp-galaxy:malpedia="Vultur"
Vultur is also known as:
-
Vulture
WireX
The tag is: misp-galaxy:malpedia="WireX"
WireX is also known as:
WolfRAT
The tag is: misp-galaxy:malpedia="WolfRAT"
WolfRAT is also known as:
Wroba
According to Avira, this is a banking trojan targeting Japan.
The tag is: misp-galaxy:malpedia="Wroba"
Wroba is also known as:
Links |
https://securelist.com/roaming-mantis-reaches-europe/105596/ |
WyrmSpy
The tag is: misp-galaxy:malpedia="WyrmSpy"
WyrmSpy is also known as:
-
AndroidControl
Xbot
The tag is: misp-galaxy:malpedia="Xbot"
Xbot is also known as:
Links |
Xenomorph
Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.
The tag is: misp-galaxy:malpedia="Xenomorph"
Xenomorph is also known as:
xHelper
The tag is: misp-galaxy:malpedia="xHelper"
xHelper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xhelper |
https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/ |
XploitSPY
The tag is: misp-galaxy:malpedia="XploitSPY"
XploitSPY is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy |
https://twitter.com/malwrhunterteam/status/1249768400806653952 |
XRat
The tag is: misp-galaxy:malpedia="XRat"
XRat is also known as:
Links |
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf |
YellYouth
The tag is: misp-galaxy:malpedia="YellYouth"
YellYouth is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth |
https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html |
Zanubis
According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.
The tag is: misp-galaxy:malpedia="Zanubis"
Zanubis is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zanubis |
https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/ |
Zen
The tag is: misp-galaxy:malpedia="Zen"
Zen is also known as:
Links |
https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html |
ZooPark
The tag is: misp-galaxy:malpedia="ZooPark"
ZooPark is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark |
https://www.secureworks.com/research/threat-profiles/cobalt-juno |
Ztorg
The tag is: misp-galaxy:malpedia="Ztorg"
Ztorg is also known as:
-
Qysly
Links |
http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2 |
https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1 |
Nightrunner
WebShell.
The tag is: misp-galaxy:malpedia="Nightrunner"
Nightrunner is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/asp.nightrunner |
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ |
Tunna
WebShell.
The tag is: misp-galaxy:malpedia="Tunna"
Tunna is also known as:
Links |
https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ |
TwoFace
According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.
The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.
The tag is: misp-galaxy:malpedia="TwoFace"
TwoFace is also known as:
-
HighShell
-
HyperShell
-
Minion
-
SEASHARPEE
Unidentified ASP 001 (Webshell)
The tag is: misp-galaxy:malpedia="Unidentified ASP 001 (Webshell)"
Unidentified ASP 001 (Webshell) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001 |
Abcbot
Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.
The tag is: misp-galaxy:malpedia="Abcbot"
Abcbot is also known as:
Links |
https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/ |
https://www.cadosecurity.com/the-continued-evolution-of-abcbot/ |
Abyss Locker
Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.
The tag is: misp-galaxy:malpedia="Abyss Locker"
Abyss Locker is also known as:
-
elf.hellokitty
Links |
ACBackdoor (ELF)
A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.
The tag is: misp-galaxy:malpedia="ACBackdoor (ELF)"
ACBackdoor (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor |
AcidPour
The tag is: misp-galaxy:malpedia="AcidPour"
AcidPour is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidpour |
https://twitter.com/juanandres_gs/status/1769726024600768959 |
AcidRain
A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems.
The tag is: misp-galaxy:malpedia="AcidRain"
AcidRain is also known as:
AgeLocker
The tag is: misp-galaxy:malpedia="AgeLocker"
AgeLocker is also known as:
AirDropBot
AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.
The tag is: misp-galaxy:malpedia="AirDropBot"
AirDropBot is also known as:
-
CloudBot
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop |
https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html |
Aisuru
Honeypot-aware variant of Mirai.
The tag is: misp-galaxy:malpedia="Aisuru"
Aisuru is also known as:
Links |
https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/ |
Akira (ELF)
Ransomware
The tag is: misp-galaxy:malpedia="Akira (ELF)"
Akira (ELF) is also known as:
AnchorDNS
Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.
The tag is: misp-galaxy:malpedia="AnchorDNS"
AnchorDNS is also known as:
ANGRYREBEL
The tag is: misp-galaxy:malpedia="ANGRYREBEL"
ANGRYREBEL is also known as:
-
Ghost RAT
AVrecon
AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.
The tag is: misp-galaxy:malpedia="AVrecon"
AVrecon is also known as:
azazel
Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features
The tag is: misp-galaxy:malpedia="azazel"
azazel is also known as:
Links |
B1txor20
B1txor20 is a malware that was discovered by 360 Netlab along others exploiting Log4J. the name is derived from using the file name "b1t", the XOR encrpytion algorithm, and the RC4 algorithm key length of 20 bytes. According to 360 Netlab this Backdoor for Linux platform uses DNS Tunnel to build a C2 communication channel. They also had the assumption that the malware is still in development, because of some bugs and not fully implemented features.
The tag is: misp-galaxy:malpedia="B1txor20"
B1txor20 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.b1txor20 |
https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/ |
Babuk (ELF)
ESX and NAS modules for Babuk ransomware.
The tag is: misp-galaxy:malpedia="Babuk (ELF)"
Babuk (ELF) is also known as:
Backdoorit
According to Avast Decoded, Backdoorit is a multiplatform RAT written in Go programming language and supporting both Windows and Linux/Unix operating systems. In many places in the code it is also referred to as backd00rit.
The tag is: misp-galaxy:malpedia="Backdoorit"
Backdoorit is also known as:
-
backd00rit
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoorit |
https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/ |
Irc16
The tag is: misp-galaxy:malpedia="Irc16"
Irc16 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16 |
BADCALL (ELF)
BADCALL is a Trojan malware variant used by the group Lazarus Group.
The tag is: misp-galaxy:malpedia="BADCALL (ELF)"
BADCALL (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall |
Bashlite
Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.
The tag is: misp-galaxy:malpedia="Bashlite"
Bashlite is also known as:
-
Gafgyt
-
gayfgt
-
lizkebab
-
qbot
-
torlus
BCMPUPnP_Hunter
The tag is: misp-galaxy:malpedia="BCMPUPnP_Hunter"
BCMPUPnP_Hunter is also known as:
BianLian (ELF)
The tag is: misp-galaxy:malpedia="BianLian (ELF)"
BianLian (ELF) is also known as:
BiBi-Linux
According to Security Joes, this malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions. During execution, it produces extensive output, which can be mitigated using the "nohup" command. It also leverages multiple threads and a queue to corrupt files concurrently, enhancing its speed and reach. Its actions include overwriting files, renaming them with a random string containing "BiBi," and excluding certain file types from corruption.
The tag is: misp-galaxy:malpedia="BiBi-Linux"
BiBi-Linux is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bibi_linux |
https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group |
Bifrost
Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.
The tag is: misp-galaxy:malpedia="Bifrost"
Bifrost is also known as:
-
elf.bifrose
BigViktor
A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.
The tag is: misp-galaxy:malpedia="BigViktor"
BigViktor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor |
BioSet
The tag is: misp-galaxy:malpedia="BioSet"
BioSet is also known as:
Links |
Black Basta (ELF)
ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.
The tag is: misp-galaxy:malpedia="Black Basta (ELF)"
Black Basta (ELF) is also known as:
BlackCat (ELF)
ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.
ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.
The tag is: misp-galaxy:malpedia="BlackCat (ELF)"
BlackCat (ELF) is also known as:
-
ALPHV
-
Noberus
BlackMatter (ELF)
The tag is: misp-galaxy:malpedia="BlackMatter (ELF)"
BlackMatter (ELF) is also known as:
Blackrota
The tag is: misp-galaxy:malpedia="Blackrota"
Blackrota is also known as:
BlackSuit (ELF)
According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.
The tag is: misp-galaxy:malpedia="BlackSuit (ELF)"
BlackSuit (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blacksuit |
https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/ |
BOLDMOVE (ELF)
According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet’s SSL-VPN (CVE-2022-42475). There is also a Windows variant.
The tag is: misp-galaxy:malpedia="BOLDMOVE (ELF)"
BOLDMOVE (ELF) is also known as:
Break out the Box
This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".
It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.
The tag is: misp-galaxy:malpedia="Break out the Box"
Break out the Box is also known as:
-
BOtB
Links |
BotenaGo
According to Alien Labs, this malware targets embedded devices including routers with more than 30 exploits. SourceCode: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go (2021-10-16)
The tag is: misp-galaxy:malpedia="BotenaGo"
BotenaGo is also known as:
BPFDoor
BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant.
The tag is: misp-galaxy:malpedia="BPFDoor"
BPFDoor is also known as:
-
JustForFun
brute_ratel
The tag is: misp-galaxy:malpedia="brute_ratel"
brute_ratel is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.brute_ratel |
Bvp47
Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as "Operation Telescreen".
The tag is: misp-galaxy:malpedia="Bvp47"
Bvp47 is also known as:
Caja
Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.
The tag is: misp-galaxy:malpedia="Caja"
Caja is also known as:
Links |
Caligula
According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.
The tag is: misp-galaxy:malpedia="Caligula"
Caligula is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.caligula |
https://decoded.avast.io/davidalvarez/go-malware-on-the-rise/ |
Capoae
XMRig-based mining malware written in Go.
The tag is: misp-galaxy:malpedia="Capoae"
Capoae is also known as:
Links |
CDorked
This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech
The tag is: misp-galaxy:malpedia="CDorked"
CDorked is also known as:
-
CDorked.A
CDRThief
The tag is: misp-galaxy:malpedia="CDRThief"
CDRThief is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief |
https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/ |
Cephei
The tag is: misp-galaxy:malpedia="Cephei"
Cephei is also known as:
Links |
https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader |
Cetus
The tag is: misp-galaxy:malpedia="Cetus"
Cetus is also known as:
Links |
https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/ |
Chalubo
Sophos describes this malware as a DDoS bot, with its name originating from ChaCha-Lua-bot due to its use of ChaCha cipher and Lua. Variants exist for multiple architectures and it incorporates code from XorDDoS and Mirai.
The tag is: misp-galaxy:malpedia="Chalubo"
Chalubo is also known as:
-
ChaChaDDoS
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.chalubo |
Chaos (ELF)
Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.
The tag is: misp-galaxy:malpedia="Chaos (ELF)"
Chaos (ELF) is also known as:
Chapro
The tag is: misp-galaxy:malpedia="Chapro"
Chapro is also known as:
Chisel (ELF)
Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via HTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by multiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to achieve persistence and used as backdoor. Github: https://github.com/jpillora/chisel
The tag is: misp-galaxy:malpedia="Chisel (ELF)"
Chisel (ELF) is also known as:
Links |
https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/ |
Clop (ELF)
ELF version of clop ransomware.
The tag is: misp-galaxy:malpedia="Clop (ELF)"
Clop (ELF) is also known as:
-
Cl0p
Links |
https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/ |
https://www.helpnetsecurity.com/2023/02/07/cl0p-ransomware-decryptor-linux/ |
Cloud Snooper
The tag is: misp-galaxy:malpedia="Cloud Snooper"
Cloud Snooper is also known as:
-
Snoopy
ConnectBack
ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim’s device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.
The tag is: misp-galaxy:malpedia="ConnectBack"
ConnectBack is also known as:
-
Getshell
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback |
https://labs.sucuri.net/signatures/malwares/pl-backdoor-connectback-001/ |
Conti (ELF)
Ransomware
The tag is: misp-galaxy:malpedia="Conti (ELF)"
Conti (ELF) is also known as:
-
Conti Locker
Cpuminer (ELF)
This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.
The tag is: misp-galaxy:malpedia="Cpuminer (ELF)"
Cpuminer (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer |
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/ |
Cr1ptT0r
The tag is: misp-galaxy:malpedia="Cr1ptT0r"
Cr1ptT0r is also known as:
-
CriptTor
CronRAT
A malware written in Bash that hides in the Linux calendar system on February 31st. Observed in relation to Magecart attacks.
The tag is: misp-galaxy:malpedia="CronRAT"
CronRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cronrat |
CyclopsBlink
According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.
The tag is: misp-galaxy:malpedia="CyclopsBlink"
CyclopsBlink is also known as:
Dacls (ELF)
According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.
Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.
The tag is: misp-galaxy:malpedia="Dacls (ELF)"
Dacls (ELF) is also known as:
Dark
Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.
The tag is: misp-galaxy:malpedia="Dark"
Dark is also known as:
-
Dark.IoT
DarkCracks
A sophisticated payload delivery and upgrade framework, discovered in 2024. DarkCracks exploits compromised GLPI and WordPress sites to function as Downloaders and C2 servers.
The tag is: misp-galaxy:malpedia="DarkCracks"
DarkCracks is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkcracks |
Dark Nexus
The tag is: misp-galaxy:malpedia="Dark Nexus"
Dark Nexus is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus |
https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly |
DarkSide (ELF)
The tag is: misp-galaxy:malpedia="DarkSide (ELF)"
DarkSide (ELF) is also known as:
DarkRadiation
The tag is: misp-galaxy:malpedia="DarkRadiation"
DarkRadiation is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark_radiation |
DDG
First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).
The tag is: misp-galaxy:malpedia="DDG"
DDG is also known as:
ddoor
The tag is: misp-galaxy:malpedia="ddoor"
ddoor is also known as:
Links |
DEADBOLT
DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.
The tag is: misp-galaxy:malpedia="DEADBOLT"
DEADBOLT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt |
https://securelist.com/new-ransomware-trends-in-2022/106457/ |
Decoy Dog RAT
The tag is: misp-galaxy:malpedia="Decoy Dog RAT"
Decoy Dog RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.decoy_dog |
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat/ |
Denonia
Cado discovered this malware, written in Go and targeting AWS Lambda environments.
The tag is: misp-galaxy:malpedia="Denonia"
Denonia is also known as:
Derusbi (ELF)
The tag is: misp-galaxy:malpedia="Derusbi (ELF)"
Derusbi (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi |
https://twitter.com/IntezerLabs/status/1407676522534735873?s=20 |
DISGOMOJI
The tag is: misp-galaxy:malpedia="DISGOMOJI"
DISGOMOJI is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.disgomoji |
https://anchorednarratives.substack.com/p/reversing-disgomoji-with-malcat-like |
Dofloo
Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines.
The tag is: misp-galaxy:malpedia="Dofloo"
Dofloo is also known as:
-
AESDDoS
Links |
Doki
The tag is: misp-galaxy:malpedia="Doki"
Doki is also known as:
Links |
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ |
DoubleFantasy (ELF)
The tag is: misp-galaxy:malpedia="DoubleFantasy (ELF)"
DoubleFantasy (ELF) is also known as:
DreamBus
The tag is: misp-galaxy:malpedia="DreamBus"
DreamBus is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dreambus |
https://www.aquasec.com/blog/aqua-cndr-stop-dreambus-botnet-attack/ |
Ebury
This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.
This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.
The tag is: misp-galaxy:malpedia="Ebury"
Ebury is also known as:
Echobot
The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.
When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.
The tag is: misp-galaxy:malpedia="Echobot"
Echobot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot |
https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html |
Elevator
The tag is: misp-galaxy:malpedia="Elevator"
Elevator is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.elevator |
EnemyBot
According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.
The tag is: misp-galaxy:malpedia="EnemyBot"
EnemyBot is also known as:
Erebus (ELF)
The tag is: misp-galaxy:malpedia="Erebus (ELF)"
Erebus (ELF) is also known as:
Links |
https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/ |
ESXiArgs
Ransomware used to target ESXi servers.
The tag is: misp-galaxy:malpedia="ESXiArgs"
ESXiArgs is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.esxi_args |
https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/ |
Evilginx
According to the author, Evilginx is a standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.
The tag is: misp-galaxy:malpedia="Evilginx"
Evilginx is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilginx |
https://www.ironnet.com/blog/robin-banks-still-might-be-robbing-your-bank-part-2 |
EvilGnome
According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.
The tag is: misp-galaxy:malpedia="EvilGnome"
EvilGnome is also known as:
EwDoor
The tag is: misp-galaxy:malpedia="EwDoor"
EwDoor is also known as:
Links |
https://blog.netlab.360.com/warning-ewdoor-botnet-is-attacking-att-customers/ |
Exaramel (ELF)
The tag is: misp-galaxy:malpedia="Exaramel (ELF)"
Exaramel (ELF) is also known as:
ext4
The tag is: misp-galaxy:malpedia="ext4"
ext4 is also known as:
Links |
https://www.recordedfuture.com/chinese-cyberespionage-operations |
https://www.recordedfuture.com/chinese-cyberespionage-operations/ |
Facefish
The tag is: misp-galaxy:malpedia="Facefish"
Facefish is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish |
FBot
The tag is: misp-galaxy:malpedia="FBot"
FBot is also known as:
FinFisher (ELF)
The tag is: misp-galaxy:malpedia="FinFisher (ELF)"
FinFisher (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher |
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/ |
floodor
The tag is: misp-galaxy:malpedia="floodor"
floodor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor |
Fodcha
Malware used to run a DDoS botnet.
The tag is: misp-galaxy:malpedia="Fodcha"
Fodcha is also known as:
Links |
FontOnLake
This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.
It comes with a rootkit as well.
The tag is: misp-galaxy:malpedia="FontOnLake"
FontOnLake is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake |
FritzFrog
Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.
The tag is: misp-galaxy:malpedia="FritzFrog"
FritzFrog is also known as:
Gitpaste-12
Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.
The tag is: misp-galaxy:malpedia="Gitpaste-12"
Gitpaste-12 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12 |
Glupteba Proxy
ARM32 SOCKS proxy, written in Go, used in the Glupteba campaign.
The tag is: misp-galaxy:malpedia="Glupteba Proxy"
Glupteba Proxy is also known as:
GobRAT
The tag is: misp-galaxy:malpedia="GobRAT"
GobRAT is also known as:
Links |
Godlua
The tag is: misp-galaxy:malpedia="Godlua"
Godlua is also known as:
Links |
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ |
Gomir
The tag is: misp-galaxy:malpedia="Gomir"
Gomir is also known as:
Links |
GOSH
The tag is: misp-galaxy:malpedia="GOSH"
GOSH is also known as:
Links |
GoTitan
GoTitan is a DDoS bot under development, which support ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.
The tag is: misp-galaxy:malpedia="GoTitan"
GoTitan is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gotitan |
https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq |
GreedyAntd
The tag is: misp-galaxy:malpedia="GreedyAntd"
GreedyAntd is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd |
https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/ |
Gwisin (ELF)
The tag is: misp-galaxy:malpedia="Gwisin (ELF)"
Gwisin (ELF) is also known as:
Links |
HabitsRAT (ELF)
The tag is: misp-galaxy:malpedia="HabitsRAT (ELF)"
HabitsRAT (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat |
Hadooken
The tag is: misp-galaxy:malpedia="Hadooken"
Hadooken is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hadooken |
https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/ |
Haiduc
The tag is: misp-galaxy:malpedia="Haiduc"
Haiduc is also known as:
Links |
Hajime
The tag is: misp-galaxy:malpedia="Hajime"
Hajime is also known as:
Hakai
The tag is: misp-galaxy:malpedia="Hakai"
Hakai is also known as:
Links |
HandyMannyPot
The tag is: misp-galaxy:malpedia="HandyMannyPot"
HandyMannyPot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot |
Hand of Thief
The tag is: misp-galaxy:malpedia="Hand of Thief"
Hand of Thief is also known as:
-
Hanthie
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief |
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/ |
HeadCrab
The tag is: misp-galaxy:malpedia="HeadCrab"
HeadCrab is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.headcrab |
https://www.aquasec.com/blog/headcrab-2-0-evolving-threat-in-redis-malware-landscape/ |
HellDown
Ransomware.
The tag is: misp-galaxy:malpedia="HellDown"
HellDown is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.helldown |
HelloBot (ELF)
The tag is: misp-galaxy:malpedia="HelloBot (ELF)"
HelloBot (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellobot |
HelloKitty (ELF)
Linux version of the HelloKitty ransomware.
The tag is: misp-galaxy:malpedia="HelloKitty (ELF)"
HelloKitty (ELF) is also known as:
HiatusRAT
Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.
The tag is: misp-galaxy:malpedia="HiatusRAT"
HiatusRAT is also known as:
HiddenWasp
HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.
The tag is: misp-galaxy:malpedia="HiddenWasp"
HiddenWasp is also known as:
Hide and Seek
The tag is: misp-galaxy:malpedia="Hide and Seek"
Hide and Seek is also known as:
-
HNS
HinataBot
HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.
The tag is: misp-galaxy:malpedia="HinataBot"
HinataBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot |
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet |
Hipid
The tag is: misp-galaxy:malpedia="Hipid"
Hipid is also known as:
Links |
Hive (ELF)
The tag is: misp-galaxy:malpedia="Hive (ELF)"
Hive (ELF) is also known as:
Horse Shell
Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities: * Remote shell: Execution of arbitrary shell commands on the infected router * File transfer: Upload and download files to and from the infected router. * SOCKS tunneling: Relay communication between different clients.
The tag is: misp-galaxy:malpedia="Horse Shell"
Horse Shell is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell |
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ |
Hubnr
The tag is: misp-galaxy:malpedia="Hubnr"
Hubnr is also known as:
Links |
https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet |
HyperSSL (ELF)
The tag is: misp-galaxy:malpedia="HyperSSL (ELF)"
HyperSSL (ELF) is also known as:
-
SysUpdate
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hyperssl |
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html |
iceFire
The tag is: misp-galaxy:malpedia="iceFire"
iceFire is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.icefire |
https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/ |
Icnanker
The tag is: misp-galaxy:malpedia="Icnanker"
Icnanker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker |
https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/ |
INC
The tag is: misp-galaxy:malpedia="INC"
INC is also known as:
Links |
https://twitter.com/malwrhunterteam/status/1689029459255373826 |
IoT Reaper
The tag is: misp-galaxy:malpedia="IoT Reaper"
IoT Reaper is also known as:
-
IoTroop
-
Reaper
-
iotreaper
IPStorm (ELF)
The tag is: misp-galaxy:malpedia="IPStorm (ELF)"
IPStorm (ELF) is also known as:
-
InterPlanetary Storm
IZ1H9
ccording to Fortinet, this is a Mirai-based DDoS botnet.
The tag is: misp-galaxy:malpedia="IZ1H9"
IZ1H9 is also known as:
Links |
JenX
The tag is: misp-galaxy:malpedia="JenX"
JenX is also known as:
Links |
https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/ |
Kaden
Kaden is a DDoS botnet that is heavily based on Bashlite/Gafgyt. Next to DDoS capabilities it contains wiper functionality, which currently can not be triggerred (yet).
The tag is: misp-galaxy:malpedia="Kaden"
Kaden is also known as:
Links |
https://www.forescout.com/blog/emerging-iot-wiper-malware-kaden-and-new-lolfme-botnet/ |
Kaiji
Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.
The tag is: misp-galaxy:malpedia="Kaiji"
Kaiji is also known as:
Kaiten
According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
The tag is: misp-galaxy:malpedia="Kaiten"
Kaiten is also known as:
-
STD
kerberods
The tag is: misp-galaxy:malpedia="kerberods"
kerberods is also known as:
KEYPLUG
The tag is: misp-galaxy:malpedia="KEYPLUG"
KEYPLUG is also known as:
-
ELFSHELF
kfos
The tag is: misp-galaxy:malpedia="kfos"
kfos is also known as:
Links |
Kinsing
The tag is: misp-galaxy:malpedia="Kinsing"
Kinsing is also known as:
-
h2miner
KIVARS (ELF)
The tag is: misp-galaxy:malpedia="KIVARS (ELF)"
KIVARS (ELF) is also known as:
Links |
Kobalos
The tag is: misp-galaxy:malpedia="Kobalos"
Kobalos is also known as:
Krasue RAT
The tag is: misp-galaxy:malpedia="Krasue RAT"
Krasue RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.krasue_rat |
KrustyLoader
ELF x64 Rust downloader first discovered on Ivanti Connect Secure VPN after the exploitation of CVE-2024-21887 and CVE-2023-46805. Downloads Sliver backdoor and deletes itself.
The tag is: misp-galaxy:malpedia="KrustyLoader"
KrustyLoader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader |
KTLVdoor (ELF)
According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.
The tag is: misp-galaxy:malpedia="KTLVdoor (ELF)"
KTLVdoor (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ktlv_door |
https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html |
Kuiper (ELF)
The tag is: misp-galaxy:malpedia="Kuiper (ELF)"
Kuiper (ELF) is also known as:
Links |
https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/ |
Lady
The tag is: misp-galaxy:malpedia="Lady"
Lady is also known as:
Links |
LeetHozer
The tag is: misp-galaxy:malpedia="LeetHozer"
LeetHozer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer |
Lightning Framework
The tag is: misp-galaxy:malpedia="Lightning Framework"
Lightning Framework is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lightning |
https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ |
LiLock
The tag is: misp-galaxy:malpedia="LiLock"
LiLock is also known as:
-
Lilocked
-
Lilu
Links |
https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html |
https://fossbytes.com/lilocked-ransomware-infected-linux-servers/ |
lilyofthevalley
The tag is: misp-galaxy:malpedia="lilyofthevalley"
lilyofthevalley is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley |
Linodas
The tag is: misp-galaxy:malpedia="Linodas"
Linodas is also known as:
-
DinodasRAT
-
XDealer
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.linodas |
LiquorBot
BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.
The tag is: misp-galaxy:malpedia="LiquorBot"
LiquorBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot |
https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/ |
LockBit (ELF)
The tag is: misp-galaxy:malpedia="LockBit (ELF)"
LockBit (ELF) is also known as:
Loerbas
Loader and Cleaner components used in attacks against high-performance computing centers in Europe.
The tag is: misp-galaxy:malpedia="Loerbas"
Loerbas is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas |
https://atdotde.blogspot.com/2020/05/high-performance-hackers.html |
Log Collector
The tag is: misp-galaxy:malpedia="Log Collector"
Log Collector is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector |
Lootwodniw
The tag is: misp-galaxy:malpedia="Lootwodniw"
Lootwodniw is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw |
Luna
ESXi encrypting ransomware written in Rust.
The tag is: misp-galaxy:malpedia="Luna"
Luna is also known as:
Links |
Manjusaka (ELF)
Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.
The tag is: misp-galaxy:malpedia="Manjusaka (ELF)"
Manjusaka (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.manjusaka |
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html |
Masuta
Masuta takes advantage of the EDB 38722 D-Link exploit.
The tag is: misp-galaxy:malpedia="Masuta"
Masuta is also known as:
-
PureMasuta
Links |
https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/ |
Matryosh
The tag is: misp-galaxy:malpedia="Matryosh"
Matryosh is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh |
https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/ |
Melofee
The tag is: misp-galaxy:malpedia="Melofee"
Melofee is also known as:
-
Mélofée
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.melofee |
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ |
MESSAGETAP
MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.
The tag is: misp-galaxy:malpedia="MESSAGETAP"
MESSAGETAP is also known as:
Midrashim
A x64 ELF file infector with non-destructive payload.
The tag is: misp-galaxy:malpedia="Midrashim"
Midrashim is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim |
MiKey
The tag is: misp-galaxy:malpedia="MiKey"
MiKey is also known as:
Links |
https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md |
Mirai (ELF)
Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.
The tag is: misp-galaxy:malpedia="Mirai (ELF)"
Mirai (ELF) is also known as:
-
Katana
Mokes (ELF)
The tag is: misp-galaxy:malpedia="Mokes (ELF)"
Mokes (ELF) is also known as:
Links |
Momentum
The tag is: misp-galaxy:malpedia="Momentum"
Momentum is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.momentum |
Monti
A ransomware, derived from the leaked Conti source code.
The tag is: misp-galaxy:malpedia="Monti"
Monti is also known as:
Links |
MooBot
The tag is: misp-galaxy:malpedia="MooBot"
MooBot is also known as:
Links |
Moose
The tag is: misp-galaxy:malpedia="Moose"
Moose is also known as:
Links |
http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/ |
https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf |
Mozi
Mozi is a IoT botnet, that makes use of P2P for communication and reuses source code of other well-known malware families, including Gafgyt, Mirai, and IoT Reaper.
The tag is: misp-galaxy:malpedia="Mozi"
Mozi is also known as:
MrBlack
MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.
MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.
The tag is: misp-galaxy:malpedia="MrBlack"
MrBlack is also known as:
-
AESDDoS
-
Dofloo
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack |
https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf |
Mumblehard
The tag is: misp-galaxy:malpedia="Mumblehard"
Mumblehard is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mumblehard |
https://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf |
Nextcry
Ransomware used against Linux servers.
The tag is: misp-galaxy:malpedia="Nextcry"
Nextcry is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry |
Ngioweb (ELF)
The tag is: misp-galaxy:malpedia="Ngioweb (ELF)"
Ngioweb (ELF) is also known as:
Nimbo-C2 (ELF)
According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It’s written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).
The tag is: misp-galaxy:malpedia="Nimbo-C2 (ELF)"
Nimbo-C2 (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.nimbo_c2 |
NiuB
Golang-based RAT that offers execution of shell commands and download+run capability.
The tag is: misp-galaxy:malpedia="NiuB"
NiuB is also known as:
NoaBot
The tag is: misp-galaxy:malpedia="NoaBot"
NoaBot is also known as:
Links |
https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining |
Nood RAT
The tag is: misp-galaxy:malpedia="Nood RAT"
Nood RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.noodrat |
Nosedive
According to Black Lotus Labs, Nosedive is a custom variation of the Mirai implant that is supported on all major SOHO and IoT architectures (e.g. MIPS, ARM, SuperH, PowerPC, etc.). Nosedive implants are typically deployed from Tier 2 payload servers in the Raptor Train infrastructure through a unique URL encoding scheme and domain injection method. Nosedive droppers use this method to request payloads for specific C2s by encoding the requested C2 domain and joining it with a unique "key" that identifies the bot and the target architecture of the compromised device (e.g. MIPS, ARM, etc.), which is then injected into the Nosedive implant payload that is deployed to the Tier 1 node. Once deployed, Nosedive runs in-memory only and allows the operators to execute commands, upload and download files, and run DDoS attacks on compromised devices.
The malware and its associated droppers are memory-resident only and deleted from disk. This, in addition to anti-forensics techniques employed on these devices including the obfuscation of running process names, compromising devices through a multi-stage infection chain, and killing remote management processes, makes detection and forensics much more difficult.
The tag is: misp-galaxy:malpedia="Nosedive"
Nosedive is also known as:
NOTROBIN
FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.
The tag is: misp-galaxy:malpedia="NOTROBIN"
NOTROBIN is also known as:
-
remove_bds
OrBit
According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.
The tag is: misp-galaxy:malpedia="OrBit"
OrBit is also known as:
Links |
https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ |
Owari
Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.
The tag is: misp-galaxy:malpedia="Owari"
Owari is also known as:
Links |
https://twitter.com/ankit_anubhav/status/1019647993547550720 |
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html |
p0sT5n1F3r
According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.
The tag is: misp-galaxy:malpedia="p0sT5n1F3r"
p0sT5n1F3r is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r |
P2Pinfect
P2Pinfect is a fast-growing multi platform botnet, the purpose of which is still unknown. Written in Rust, it is compatible with Windows and Linux, including a MIPS variant for Linux based routers and IoT devices. It is capable of brute forcing SSH logins and exploiting Redis servers in order to propagate itself both to random IPs on the internet and to hosts it can find references to in files present on the infected system.
The tag is: misp-galaxy:malpedia="P2Pinfect"
P2Pinfect is also known as:
pbot
P2P botnet derived from the Mirai source code.
The tag is: misp-galaxy:malpedia="pbot"
pbot is also known as:
Links |
https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html |
Penquin Turla
The tag is: misp-galaxy:malpedia="Penquin Turla"
Penquin Turla is also known as:
perfctl
The tag is: misp-galaxy:malpedia="perfctl"
perfctl is also known as:
-
perfcc
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.perfctl |
https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/ |
PerlBot
The tag is: misp-galaxy:malpedia="PerlBot"
PerlBot is also known as:
-
DDoS Perl IrcBot
-
ShellBot
Persirai
The tag is: misp-galaxy:malpedia="Persirai"
Persirai is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai |
PG_MEM
The tag is: misp-galaxy:malpedia="PG_MEM"
PG_MEM is also known as:
Links |
https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/ |
PigmyGoat
The tag is: misp-galaxy:malpedia="PigmyGoat"
PigmyGoat is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pigmy_goat |
PingPull
The tag is: misp-galaxy:malpedia="PingPull"
PingPull is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pingpull |
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ |
Pink
A botnet with P2P and centralized C&C capabilities.
The tag is: misp-galaxy:malpedia="Pink"
Pink is also known as:
Links |
https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/ |
PLEAD (ELF)
The tag is: misp-galaxy:malpedia="PLEAD (ELF)"
PLEAD (ELF) is also known as:
Poseidon (ELF)
Part of Mythic C2, written in Golang.
The tag is: misp-galaxy:malpedia="Poseidon (ELF)"
Poseidon (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.poseidon |
https://brandefense.io/blog/apt-36-campaign-poseidon-malware-technical-analysis/ |
PRISM
The tag is: misp-galaxy:malpedia="PRISM"
PRISM is also known as:
-
waterdrop
Links |
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar |
PrivetSanya
Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.
The tag is: misp-galaxy:malpedia="PrivetSanya"
PrivetSanya is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya |
Prometei (ELF)
The tag is: misp-galaxy:malpedia="Prometei (ELF)"
Prometei (ELF) is also known as:
Pro-Ocean
Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.
The tag is: misp-galaxy:malpedia="Pro-Ocean"
Pro-Ocean is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean |
https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/ |
pupy (ELF)
Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.
The tag is: misp-galaxy:malpedia="pupy (ELF)"
pupy (ELF) is also known as:
Links |
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf |
Qilin
The tag is: misp-galaxy:malpedia="Qilin"
Qilin is also known as:
Links |
https://twitter.com/malwrhunterteam/status/1724521714845937822 |
QNAPCrypt
The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:
-
The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
-
Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
-
Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.
The tag is: misp-galaxy:malpedia="QNAPCrypt"
QNAPCrypt is also known as:
-
eCh0raix
QSnatch
The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes
The tag is: misp-galaxy:malpedia="QSnatch"
QSnatch is also known as:
QUIETEXIT
Mandiant observed this backdoor being observed by UNC3524. It is based on the open-source Dropbear SSH source code.
The tag is: misp-galaxy:malpedia="QUIETEXIT"
QUIETEXIT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit |
r2r2
The tag is: misp-galaxy:malpedia="r2r2"
r2r2 is also known as:
Links |
https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/ |
RagnarLocker (ELF)
The tag is: misp-galaxy:malpedia="RagnarLocker (ELF)"
RagnarLocker (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker |
https://twitter.com/malwrhunterteam/status/1475568201673105409 |
Rakos
The tag is: misp-galaxy:malpedia="Rakos"
Rakos is also known as:
Links |
https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22 |
http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ |
RansomEXX (ELF)
According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.
The tag is: misp-galaxy:malpedia="RansomEXX (ELF)"
RansomEXX (ELF) is also known as:
-
Defray777
RansomExx2
According to IBM Security X-Force, this is a new but functionally very similar version of RansomExx, fully rewritten in Rust and internally referred to as RansomExx2.
The tag is: misp-galaxy:malpedia="RansomExx2"
RansomExx2 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx2 |
https://securityintelligence.com/x-force/ransomexx-upgrades-rust/ |
RapperBot
A Mirai derivate bruteforcing SSH servers.
The tag is: misp-galaxy:malpedia="RapperBot"
RapperBot is also known as:
RaspberryPiBotnet
The tag is: misp-galaxy:malpedia="RaspberryPiBotnet"
RaspberryPiBotnet is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet |
https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/ |
rat_hodin
The tag is: misp-galaxy:malpedia="rat_hodin"
rat_hodin is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin |
rbs_srv
The tag is: misp-galaxy:malpedia="rbs_srv"
rbs_srv is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv |
RedTail
RedTail is a cryptomining malware, which is based on the open-source XMRIG mining software. It is being spread via known vulnerabilities such as: - CVE-2024-3400 - CVE-2023-46805 - CVE-2024-21887 - CVE-2023-1389 - CVE-2022-22954 - CVE-2018-20062
The tag is: misp-galaxy:malpedia="RedTail"
RedTail is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.redtail |
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit |
RedXOR
RedXOR is a sophisticated backdoor targeting Linux systems disguised as polkit daemon and utilizing network data encoding based on XOR. Believed to be developed by Chinese nation-state actors, this malware shows similarities to other malware associated with the Winnti umbrella threat group.
RedXOR uses various techniques such as open-source LKM rootkits, Python pty shell, and network data encoding with XOR. It also employs persistence methods and communication with a Command and Control server over HTTP.
The malware can execute various commands including system information collection, updates, shell commands, and network tunneling.
The tag is: misp-galaxy:malpedia="RedXOR"
RedXOR is also known as:
Links |
RedAlert Ransomware
Ransomware that targets Linux VMware ESXi servers. Encryption procedure uses the NTRUEncrypt public-key encryption algorithm.
The tag is: misp-galaxy:malpedia="RedAlert Ransomware"
RedAlert Ransomware is also known as:
-
N13V
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert |
https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ |
Rekoobe
A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm
The tag is: misp-galaxy:malpedia="Rekoobe"
Rekoobe is also known as:
reptile
The tag is: misp-galaxy:malpedia="reptile"
reptile is also known as:
REvil (ELF)
ELF version of win.revil targeting VMware ESXi hypervisors.
The tag is: misp-galaxy:malpedia="REvil (ELF)"
REvil (ELF) is also known as:
-
REvix
Rex
The tag is: misp-galaxy:malpedia="Rex"
Rex is also known as:
Links |
https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/ |
RHOMBUS
The tag is: misp-galaxy:malpedia="RHOMBUS"
RHOMBUS is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus |
https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/ |
Rhysida (ELF)
The tag is: misp-galaxy:malpedia="Rhysida (ELF)"
Rhysida (ELF) is also known as:
Roboto
P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.
The tag is: misp-galaxy:malpedia="Roboto"
Roboto is also known as:
Links |
https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin |
RotaJakiro
RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.
The tag is: misp-galaxy:malpedia="RotaJakiro"
RotaJakiro is also known as:
Royal Ransom (ELF)
According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.
The tag is: misp-galaxy:malpedia="Royal Ransom (ELF)"
Royal Ransom (ELF) is also known as:
-
Royal
-
Royal_unix
Rshell
The tag is: misp-galaxy:malpedia="Rshell"
Rshell is also known as:
Links |
RudeDevil
The tag is: misp-galaxy:malpedia="RudeDevil"
RudeDevil is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rude_devil |
SALTWATER
According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.
The tag is: misp-galaxy:malpedia="SALTWATER"
SALTWATER is also known as:
Satori
Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).
The tag is: misp-galaxy:malpedia="Satori"
Satori is also known as:
Links |
http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori |
SBIDIOT
The tag is: misp-galaxy:malpedia="SBIDIOT"
SBIDIOT is also known as:
SEASPY
According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system. The malware is based on an open-source backdoor program named "cd00r".
The tag is: misp-galaxy:malpedia="SEASPY"
SEASPY is also known as:
Links |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
https://www.mandiant.com/resources/blog/chinese-espionage-tactics |
sedexp
The tag is: misp-galaxy:malpedia="sedexp"
sedexp is also known as:
Links |
ShellBind
The tag is: misp-galaxy:malpedia="ShellBind"
ShellBind is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind |
Shishiga
The tag is: misp-galaxy:malpedia="Shishiga"
Shishiga is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga |
https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/ |
SideWalk (ELF)
The tag is: misp-galaxy:malpedia="SideWalk (ELF)"
SideWalk (ELF) is also known as:
Silex
The tag is: misp-galaxy:malpedia="Silex"
Silex is also known as:
-
silexbot
Links |
SimpleTea (ELF)
SimpleTea for Linux is an HTTP(S) RAT.
It was discovered in Q1 2023 as an instance of the Lazarus group’s Operation DreamJob campaign for Linux. It was a payload downloaded in an execution chain which started with an HSBC-themed job offer lure. It shared the same C&C server as payloads from the 3CX incident around the same time.
It’s an object-oriented project, which does not run on Linux distributions without a graphical user interface, and decrypts its configuration from /home/%user%/.config/apdl.cf using 0x7E as the XOR key. It uses AES-GCM for encryption and decryption of its network traffic.
It supports basic commands that include operations on the victim’s filesystem, manipulation with its configuration, file exfiltration (via ZIP archives), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 16-bit integers, starting with the value 0x27C3.
SimpleTea for Linux seems like an updated version of BadCall for Linux, rewritten from C to C++, as there are similarities in class names and function names between the two.
The tag is: misp-galaxy:malpedia="SimpleTea (ELF)"
SimpleTea (ELF) is also known as:
-
PondRAT
-
SimplexTea
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.simpletea |
SLAPSTICK
According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.
The tag is: misp-galaxy:malpedia="SLAPSTICK"
SLAPSTICK is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick |
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html |
SnappyTCP
According to PwC, SnappyTCP is a simple reverse shell for Linux/Unix systems, with variants for plaintext and TLS communication. SeaTurtle has used SnappyTCP at least between 2021 and 2023.
The tag is: misp-galaxy:malpedia="SnappyTCP"
SnappyTCP is also known as:
SoWaT
This is an implant used by APT31 on home routers to utilize them as ORBs.
The tag is: misp-galaxy:malpedia="SoWaT"
SoWaT is also known as:
Links |
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ |
Spamtorte
The tag is: misp-galaxy:malpedia="Spamtorte"
Spamtorte is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte |
SpeakUp
The tag is: misp-galaxy:malpedia="SpeakUp"
SpeakUp is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup |
https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/ |
Specter
The tag is: misp-galaxy:malpedia="Specter"
Specter is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter |
https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/ |
SpectralBlur (ELF)
The tag is: misp-galaxy:malpedia="SpectralBlur (ELF)"
SpectralBlur (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spectral_blur |
Speculoos
The tag is: misp-galaxy:malpedia="Speculoos"
Speculoos is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos |
https://www.secureworks.com/research/threat-profiles/bronze-atlas |
SprySOCKS
The tag is: misp-galaxy:malpedia="SprySOCKS"
SprySOCKS is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks |
https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html |
SSHDoor
The tag is: misp-galaxy:malpedia="SSHDoor"
SSHDoor is also known as:
Stantinko
The tag is: misp-galaxy:malpedia="Stantinko"
Stantinko is also known as:
STEELCORGI
According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.
The tag is: misp-galaxy:malpedia="STEELCORGI"
STEELCORGI is also known as:
Sunless
The tag is: misp-galaxy:malpedia="Sunless"
Sunless is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless |
https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/ |
sustes miner
Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.
The tag is: misp-galaxy:malpedia="sustes miner"
sustes miner is also known as:
Links |
https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/ |
Suterusu
The tag is: misp-galaxy:malpedia="Suterusu"
Suterusu is also known as:
-
HCRootkit
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu |
https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/ |
Sword2033
The tag is: misp-galaxy:malpedia="Sword2033"
Sword2033 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sword2033 |
https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ |
Symbiote
A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.
The tag is: misp-galaxy:malpedia="Symbiote"
Symbiote is also known as:
SysJoker (ELF)
The tag is: misp-galaxy:malpedia="SysJoker (ELF)"
SysJoker (ELF) is also known as:
Sysrv-hello (ELF)
Cryptojacking botnet
The tag is: misp-galaxy:malpedia="Sysrv-hello (ELF)"
Sysrv-hello (ELF) is also known as:
-
Sysrv
TeamTNT
Since Fall 2019, Team TNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. It has constantly evolved its capabilities for its cloud-based cryptojacking operations. They have shifted their focus on compromising Kubernetes Clusters.
The tag is: misp-galaxy:malpedia="TeamTNT"
TeamTNT is also known as:
TheMoon
The tag is: misp-galaxy:malpedia="TheMoon"
TheMoon is also known as:
TNTbotinger
The tag is: misp-galaxy:malpedia="TNTbotinger"
TNTbotinger is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger |
https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/ |
Torii
The tag is: misp-galaxy:malpedia="Torii"
Torii is also known as:
Links |
TripleCross
According to its author, TripleCross is a Linux eBPF rootkit that demonstrates the offensive capabilities of the eBPF technology.
The tag is: misp-galaxy:malpedia="TripleCross"
TripleCross is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.triplecross |
https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/ |
Trump Bot
The tag is: misp-galaxy:malpedia="Trump Bot"
Trump Bot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot |
TSCookie
The tag is: misp-galaxy:malpedia="TSCookie"
TSCookie is also known as:
Tsunami (ELF)
The tag is: misp-galaxy:malpedia="Tsunami (ELF)"
Tsunami (ELF) is also known as:
-
Amnesia
-
Muhstik
-
Radiation
Turla RAT
The tag is: misp-galaxy:malpedia="Turla RAT"
Turla RAT is also known as:
Umbreon
The tag is: misp-galaxy:malpedia="Umbreon"
Umbreon is also known as:
-
Espeon
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon |
http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html |
Unidentified Linux 001
According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.
The tag is: misp-galaxy:malpedia="Unidentified Linux 001"
Unidentified Linux 001 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001 |
https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability |
Unidentified ELF 004
Implant used by APT31 on compromised SOHO infrastructure, tries to camouflage as a tool ("unifi-video") related to Ubiquiti UniFi surveillance cameras.
The tag is: misp-galaxy:malpedia="Unidentified ELF 004"
Unidentified ELF 004 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_004 |
https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/ |
Unidentified 005 (Sidecopy)
The tag is: misp-galaxy:malpedia="Unidentified 005 (Sidecopy)"
Unidentified 005 (Sidecopy) is also known as:
Unidentified ELF 006 (Tox Backdoor)
Enables remote execution of scripts on a host, communicates via Tox.
The tag is: misp-galaxy:malpedia="Unidentified ELF 006 (Tox Backdoor)"
Unidentified ELF 006 (Tox Backdoor) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_006 |
https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers |
Hive (Vault 8)
The tag is: misp-galaxy:malpedia="Hive (Vault 8)"
Hive (Vault 8) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vault8_hive |
Vermilion Strike (ELF)
The tag is: misp-galaxy:malpedia="Vermilion Strike (ELF)"
Vermilion Strike (ELF) is also known as:
VPNFilter
The tag is: misp-galaxy:malpedia="VPNFilter"
VPNFilter is also known as:
WatchBog
According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.
The tag is: misp-galaxy:malpedia="WatchBog"
WatchBog is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog |
https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/ |
WellMail
The tag is: misp-galaxy:malpedia="WellMail"
WellMail is also known as:
elf.wellmess
The tag is: misp-galaxy:malpedia="elf.wellmess"
elf.wellmess is also known as:
WHIRLPOOL
The tag is: misp-galaxy:malpedia="WHIRLPOOL"
WHIRLPOOL is also known as:
WhiteRabbit
The tag is: misp-galaxy:malpedia="WhiteRabbit"
WhiteRabbit is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.whiterabbit |
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET |
Winnti (ELF)
The tag is: misp-galaxy:malpedia="Winnti (ELF)"
Winnti (ELF) is also known as:
Wirenet (ELF)
The tag is: misp-galaxy:malpedia="Wirenet (ELF)"
Wirenet (ELF) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet |
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html |
X-Agent (ELF)
The tag is: misp-galaxy:malpedia="X-Agent (ELF)"
X-Agent (ELF) is also known as:
-
chopstick
-
fysbis
-
splm
Xanthe
The tag is: misp-galaxy:malpedia="Xanthe"
Xanthe is also known as:
Links |
https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html |
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775 |
Xaynnalc
The tag is: misp-galaxy:malpedia="Xaynnalc"
Xaynnalc is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc |
Xbash
The tag is: misp-galaxy:malpedia="Xbash"
Xbash is also known as:
Links |
xdr33
According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.
The tag is: misp-galaxy:malpedia="xdr33"
xdr33 is also known as:
Links |
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/ |
XOR DDoS
Linux DDoS C&C Malware
The tag is: misp-galaxy:malpedia="XOR DDoS"
XOR DDoS is also known as:
-
XORDDOS
Zergeca
Zergeca is a DDoS-botnet and backdoor written in Golang. It uses modified UPX for packing, with the magic number 0x30219101 instead of "UPX!". It is being distributed via weak telnet passwords and known vulnerabilities.
The tag is: misp-galaxy:malpedia="Zergeca"
Zergeca is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zergeca |
https://blog.xlab.qianxin.com/a-deep-dive-into-the-zergeca-botnet |
ZeroBot
ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.
The tag is: misp-galaxy:malpedia="ZeroBot"
ZeroBot is also known as:
-
ZeroStresser
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zerobot |
ZHtrap
The tag is: misp-galaxy:malpedia="ZHtrap"
ZHtrap is also known as:
Links |
Zollard
The tag is: misp-galaxy:malpedia="Zollard"
Zollard is also known as:
-
darlloz
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard |
https://blogs.cisco.com/security/the-internet-of-everything-including-malware |
ZuoRAT
According to Black Lotus Labs, ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).
The tag is: misp-galaxy:malpedia="ZuoRAT"
ZuoRAT is also known as:
AutoCAD Downloader
Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.
The tag is: misp-galaxy:malpedia="AutoCAD Downloader"
AutoCAD Downloader is also known as:
-
Acad.Bursted
-
Duxfas
Links |
https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft |
COOKIESNATCH
According to Google, this is a cookie stealer
The tag is: misp-galaxy:malpedia="COOKIESNATCH"
COOKIESNATCH is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ios.cookiesnatch |
DualToy (iOS)
The tag is: misp-galaxy:malpedia="DualToy (iOS)"
DualToy (iOS) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy |
GuiInject
The tag is: misp-galaxy:malpedia="GuiInject"
GuiInject is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject |
https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/ |
lightSpy
The tag is: misp-galaxy:malpedia="lightSpy"
lightSpy is also known as:
Phenakite
The tag is: misp-galaxy:malpedia="Phenakite"
Phenakite is also known as:
-
Dakkatoni
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite |
https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html |
PoisonCarp
The tag is: misp-galaxy:malpedia="PoisonCarp"
PoisonCarp is also known as:
-
INSOMNIA
Postlo
The tag is: misp-galaxy:malpedia="Postlo"
Postlo is also known as:
Links |
TriangleDB
The tag is: misp-galaxy:malpedia="TriangleDB"
TriangleDB is also known as:
VALIDVICTOR
According to Google, this reconnaissance payload uses a profiling framework drawing canvas to identify the target’s exact iPhone model, a technique used by many other actors. The iPhone model is sent back to the C2 along with screen size, whether or not a touch screen is present, and a unique identifier per initial GET request (e.g., 1lwuzddaxoom5ylli37v90kj). The server replies with either an AES encrypted next stage or 0, indicating that no payload is available for this device. The payload makes another request to the exploit server with gcr=1 as a parameter to get the AES decryption key from the C2.
The tag is: misp-galaxy:malpedia="VALIDVICTOR"
VALIDVICTOR is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ios.validvictor |
WireLurker (iOS)
The iOS malware that is installed over USB by osx.wirelurker
The tag is: misp-galaxy:malpedia="WireLurker (iOS)"
WireLurker (iOS) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker |
X-Agent (iOS)
The tag is: misp-galaxy:malpedia="X-Agent (iOS)"
X-Agent (iOS) is also known as:
Links |
https://www.secureworks.com/research/threat-profiles/iron-twilight |
AdWind
Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates
Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware
Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run
Hiding Uses attrib.exe
Notes on Adwind The malware is not known to be proxy aware
The tag is: misp-galaxy:malpedia="AdWind"
AdWind is also known as:
-
AlienSpy
-
Frutas
-
JBifrost
-
JSocket
-
Sockrat
-
UNRECOM
Adzok
The tag is: misp-galaxy:malpedia="Adzok"
Adzok is also known as:
Links |
Banload
F-Secure observed Banload variants silently downloading malicious files from a remote server, then installing and executing the files.
The tag is: misp-galaxy:malpedia="Banload"
Banload is also known as:
Blue Banana RAT
The tag is: misp-galaxy:malpedia="Blue Banana RAT"
Blue Banana RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana |
CrossRAT
The tag is: misp-galaxy:malpedia="CrossRAT"
CrossRAT is also known as:
-
Trupto
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat |
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf |
DynamicRAT
DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.
The tag is: misp-galaxy:malpedia="DynamicRAT"
DynamicRAT is also known as:
-
DYNARAT
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.dynamicrat |
https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694 |
EpicSplit RAT
EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.
The tag is: misp-galaxy:malpedia="EpicSplit RAT"
EpicSplit RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit |
FEimea RAT
The tag is: misp-galaxy:malpedia="FEimea RAT"
FEimea RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat |
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/ |
IceRat
According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.
The tag is: misp-galaxy:malpedia="IceRat"
IceRat is also known as:
Links |
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp |
JavaDispCash
JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM’s local application and the goal is to remotely control its operation. The malware’s primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.
The tag is: misp-galaxy:malpedia="JavaDispCash"
JavaDispCash is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash |
JavaLocker
The tag is: misp-galaxy:malpedia="JavaLocker"
JavaLocker is also known as:
-
JavaEncrypt Ransomware
jRAT
jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.
The tag is: misp-galaxy:malpedia="jRAT"
jRAT is also known as:
-
Jacksbot
jSpy
The tag is: misp-galaxy:malpedia="jSpy"
jSpy is also known as:
Links |
https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/ |
Mineping
DDoS for Minecraft servers.
The tag is: misp-galaxy:malpedia="Mineping"
Mineping is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.mineping |
https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/ |
Octopus Scanner
The tag is: misp-galaxy:malpedia="Octopus Scanner"
Octopus Scanner is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner |
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain |
Pronsis Loader
According to TrustWave, this is a loader leveraging JPHP, which was observed fetching Latrodectus and Lumma.
The tag is: misp-galaxy:malpedia="Pronsis Loader"
Pronsis Loader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.pronsis_loader |
Qarallax RAT
According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).
The tag is: misp-galaxy:malpedia="Qarallax RAT"
Qarallax RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat |
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/ |
Qealler
The tag is: misp-galaxy:malpedia="Qealler"
Qealler is also known as:
-
Pyrogenic Infostealer
QRat
QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …), and it comes as a SaaS. For additional historical context, please see jar.qarallax.
The tag is: misp-galaxy:malpedia="QRat"
QRat is also known as:
-
Quaverse RAT
Ratty
Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.
The tag is: misp-galaxy:malpedia="Ratty"
Ratty is also known as:
Links |
https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/ |
Sorillus RAT
Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool’s creator and distributor, a YouTube user known as "Tapt", asserts that the tool is able to collect the following information from its target: - HardwareID - Username - Country - Language - Webcam - Headless - Operating system - Client Version
The tag is: misp-galaxy:malpedia="Sorillus RAT"
Sorillus RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus |
https://abnormalsecurity.com/blog/tax-customers-sorillus-rat |
STRRAT
STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.
Since Version 1.2 and above, STRRAT was infamous for its ransomware-like behavior of appending the file name extension .crimson to files. Version 1.5 is notably more obfuscated and modular than previous versions, but the backdoor functions mostly remain the same: collect browser passwords, run remote commands and PowerShell, log keystrokes, among others. Version 1.5 of STRRAT Malware includes a proper encryption routine, though currently pretty simple to revert.
The tag is: misp-galaxy:malpedia="STRRAT"
STRRAT is also known as:
SupremeBot
The tag is: misp-galaxy:malpedia="SupremeBot"
SupremeBot is also known as:
-
BlazeBot
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot |
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/ |
Verblecon
This malware seems to be used for attacks installing cryptocurrency miners on infected machines. Other indicators leads to the assumption that attackers may also use this malware for other purposes (e.g. stealing access tokens for Discord chat app). Symantec describes this malware as complex and powerful: The malware is loaded as a server-side polymorphic JAR file.
The tag is: misp-galaxy:malpedia="Verblecon"
Verblecon is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.verblecon |
VersaMem
According to Lumen, a web shell used by Volt Typhoon.
The tag is: misp-galaxy:malpedia="VersaMem"
VersaMem is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/jar.versamem |
https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/ |
AIRBREAK
AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.
The tag is: misp-galaxy:malpedia="AIRBREAK"
AIRBREAK is also known as:
-
Orz
Bateleur
The tag is: misp-galaxy:malpedia="Bateleur"
Bateleur is also known as:
BeaverTail
BeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information theft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as InvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim’s web browsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM packages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers have identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely still under development.
The tag is: misp-galaxy:malpedia="BeaverTail"
BeaverTail is also known as:
BELLHOP
-
BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:
-
Creating a Run key in the Registry
-
Creating a RunOnce key in the Registry
-
Creating a persistent named scheduled task
-
BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.
The tag is: misp-galaxy:malpedia="BELLHOP"
BELLHOP is also known as:
Links |
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf |
CACTUSTORCH
According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.
The tag is: misp-galaxy:malpedia="CACTUSTORCH"
CACTUSTORCH is also known as:
ChromeBack
GoSecure describes ChromeBack as a browser hijacker, redirecting traffic and serving advertisements to users.
The tag is: misp-galaxy:malpedia="ChromeBack"
ChromeBack is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback |
ClearFake
ClearFake is a malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. The malware leverages social engineering to trick the user into running a fake web browser update.
The tag is: misp-galaxy:malpedia="ClearFake"
ClearFake is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.clearfake |
https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/ |
CryptoNight
WebAssembly-based crpyto miner.
The tag is: misp-galaxy:malpedia="CryptoNight"
CryptoNight is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight |
https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec |
CukieGrab
The tag is: misp-galaxy:malpedia="CukieGrab"
CukieGrab is also known as:
-
Roblox Trade Assist
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx |
DarkWatchman
Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA for C&C.
The tag is: misp-galaxy:malpedia="DarkWatchman"
DarkWatchman is also known as:
DNSRat
The tag is: misp-galaxy:malpedia="DNSRat"
DNSRat is also known as:
-
DNSbot
doenerium
Open sourced javascript info stealer, with the capabilities of stealing crypto wallets, password, cookies and modify discord clients https://github.com/doener2323/doenerium
The tag is: misp-galaxy:malpedia="doenerium"
doenerium is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.doenerium |
Enrume
The tag is: misp-galaxy:malpedia="Enrume"
Enrume is also known as:
-
Ransom32
Links |
https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/ |
EVILNUM (Javascript)
According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.
The tag is: misp-galaxy:malpedia="EVILNUM (Javascript)"
EVILNUM (Javascript) is also known as:
FakeUpdateRU
FakeUpdateRU is a malicious JavaScript code injected into compromised websites to deliver further malware using the drive-by download technique. The malicious code displays a copy of the Google Chrome web browser download page and redirects the user to the download of a next-stage payload.
The tag is: misp-galaxy:malpedia="FakeUpdateRU"
FakeUpdateRU is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdateru |
https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html |
FAKEUPDATES
FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.
FAKEUPDATES has been heavily used by UNC1543, a financially motivated group.
The tag is: misp-galaxy:malpedia="FAKEUPDATES"
FAKEUPDATES is also known as:
-
FakeUpdate
-
SocGholish
GootLoader
According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.
The tag is: misp-galaxy:malpedia="GootLoader"
GootLoader is also known as:
-
SLOWPOUR
grelos
grelos is a skimmer used for magecart-style attacks.
The tag is: misp-galaxy:malpedia="grelos"
grelos is also known as:
Links |
https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745 |
Griffon
GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.
The tag is: misp-galaxy:malpedia="Griffon"
Griffon is also known as:
-
Harpy
inter
The tag is: misp-galaxy:malpedia="inter"
inter is also known as:
Links |
https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html |
Jeniva
The tag is: misp-galaxy:malpedia="Jeniva"
Jeniva is also known as:
Links |
Jetriz
The tag is: misp-galaxy:malpedia="Jetriz"
Jetriz is also known as:
Links |
jspRAT
The tag is: misp-galaxy:malpedia="jspRAT"
jspRAT is also known as:
Links |
https://www.mandiant.com/resources/fin13-cybercriminal-mexico |
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators |
KopiLuwak
The tag is: misp-galaxy:malpedia="KopiLuwak"
KopiLuwak is also known as:
LNKR
The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains.
The tag is: misp-galaxy:malpedia="LNKR"
LNKR is also known as:
Links |
https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/ |
magecart
Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it’s a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.
The tag is: misp-galaxy:malpedia="magecart"
magecart is also known as:
megaMedusa
MegaMedusa is NodeJS DDoS Machine Layer-7 provided by RipperSec Team.
The tag is: misp-galaxy:malpedia="megaMedusa"
megaMedusa is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.mega_medusa |
https://www.radware.com/blog/security/2024/08/megamedusa-rippersec-public-web-ddos-attack-tool/ |
MiniJS
MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.
The tag is: misp-galaxy:malpedia="MiniJS"
MiniJS is also known as:
Links |
MintsLoader
According to Orange Cyberdefense, MintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. It has been observed in widespread distribution campaigns between July and October 2024. The name comes from a very characteristic use of an URL parameter “1.php?s=mintsXX" (with XX being numbers).
MintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through phishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and PowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains, most of which use a domain generation algorithm (DGA) with .top TLD.
The tag is: misp-galaxy:malpedia="MintsLoader"
MintsLoader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.mints_loader |
More_eggs
More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands
The tag is: misp-galaxy:malpedia="More_eggs"
More_eggs is also known as:
-
SKID
-
SpicyOmelette
NanHaiShu
NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.
The tag is: misp-galaxy:malpedia="NanHaiShu"
NanHaiShu is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu |
https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf |
NodeRAT
The tag is: misp-galaxy:malpedia="NodeRAT"
NodeRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat |
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf |
OFFODE
According to the author, this is a project that will give understanding of bypassing Multi Factor Authentication (MFA) of an outlook account. It is build in node.js and uses playwright for the automation in the backend.
The tag is: misp-galaxy:malpedia="OFFODE"
OFFODE is also known as:
Links |
ostap
Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:
AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark
If a blacklisted process is found, the malware terminates.
Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.
The tag is: misp-galaxy:malpedia="ostap"
ostap is also known as:
ParaSiteSnatcher
The tag is: misp-galaxy:malpedia="ParaSiteSnatcher"
ParaSiteSnatcher is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.parasitesnatcher |
Parrot TDS
This malicious code written in JavaScript is used as Traffic Direction System (TDS). This TDS showes similarities to the Prometheus TDS. According to DECODED Avast.io this TDS has been active since October 2021.
The tag is: misp-galaxy:malpedia="Parrot TDS"
Parrot TDS is also known as:
PeaceNotWar
PeaceNotWar was integrated into the nodejs module node-ipc as a piece of malware/protestware with wiper characteristics. It targets machines with a public IP address located in Russia and Belarus (using geolocation) and overwrites files recursively using a heart emoji.
The tag is: misp-galaxy:malpedia="PeaceNotWar"
PeaceNotWar is also known as:
PindOS
The tag is: misp-galaxy:malpedia="PindOS"
PindOS is also known as:
Links |
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid |
Powmet
The tag is: misp-galaxy:malpedia="Powmet"
Powmet is also known as:
Links |
QNodeService
According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.
The tag is: misp-galaxy:malpedia="QNodeService"
QNodeService is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice |
https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf |
QUICKCAFE
QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.
The tag is: misp-galaxy:malpedia="QUICKCAFE"
QUICKCAFE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe |
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
scanbox
The tag is: misp-galaxy:malpedia="scanbox"
scanbox is also known as:
Links |
https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea |
https://www.secureworks.com/research/threat-profiles/bronze-mohawk |
SQLRat
SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.
The tag is: misp-galaxy:malpedia="SQLRat"
SQLRat is also known as:
Starfighter (Javascript)
According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.
The tag is: misp-galaxy:malpedia="Starfighter (Javascript)"
Starfighter (Javascript) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter |
Swid
The tag is: misp-galaxy:malpedia="Swid"
Swid is also known as:
Links |
HTML5 Encoding
The tag is: misp-galaxy:malpedia="HTML5 Encoding"
HTML5 Encoding is also known as:
Maintools.js
Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.
The tag is: misp-galaxy:malpedia="Maintools.js"
Maintools.js is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools |
Unidentified JS 001 (APT32 Profiler)
The tag is: misp-galaxy:malpedia="Unidentified JS 001 (APT32 Profiler)"
Unidentified JS 001 (APT32 Profiler) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001 |
https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f |
Unidentified JS 003 (Emotet Downloader)
According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.
The tag is: misp-galaxy:malpedia="Unidentified JS 003 (Emotet Downloader)"
Unidentified JS 003 (Emotet Downloader) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003 |
https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/ |
Unidentified JS 004
A simple loader written in JavaScript found by Marco Ramilli.
The tag is: misp-galaxy:malpedia="Unidentified JS 004"
Unidentified JS 004 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004 |
Unidentified JS 005 (Stealer)
The tag is: misp-galaxy:malpedia="Unidentified JS 005 (Stealer)"
Unidentified JS 005 (Stealer) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005 |
Unidentified JS 006 (Winter Wyvern)
A script able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server by making HTTP requests.
The tag is: misp-galaxy:malpedia="Unidentified JS 006 (Winter Wyvern)"
Unidentified JS 006 (Winter Wyvern) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_006 |
https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf |
Unidentified JS 002
The tag is: misp-galaxy:malpedia="Unidentified JS 002"
Unidentified JS 002 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002 |
Valak
According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).
Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).
The tag is: misp-galaxy:malpedia="Valak"
Valak is also known as:
-
Valek
witchcoven
The tag is: misp-galaxy:malpedia="witchcoven"
witchcoven is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven |
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf |
Godzilla Webshell
The tag is: misp-galaxy:malpedia="Godzilla Webshell"
Godzilla Webshell is also known as:
3CX Backdoor (OS X)
The tag is: misp-galaxy:malpedia="3CX Backdoor (OS X)"
3CX Backdoor (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.3cx_backdoor |
AMOS
The tag is: misp-galaxy:malpedia="AMOS"
AMOS is also known as:
-
Atomic macOS Stealer
AppleJeus (OS X)
According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.
The tag is: misp-galaxy:malpedia="AppleJeus (OS X)"
AppleJeus (OS X) is also known as:
BANSHEE
The tag is: misp-galaxy:malpedia="BANSHEE"
BANSHEE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.banshee |
Bella
The tag is: misp-galaxy:malpedia="Bella"
Bella is also known as:
Links |
Bundlore
The tag is: misp-galaxy:malpedia="Bundlore"
Bundlore is also known as:
-
SurfBuyer
Careto
The tag is: misp-galaxy:malpedia="Careto"
Careto is also known as:
-
Appetite
-
Mask
Links |
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
Casso
The tag is: misp-galaxy:malpedia="Casso"
Casso is also known as:
Links |
CDDS
Google TAG has observed this malware being delivered via watering hole attacks using 0-day exploits, targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group.
The tag is: misp-galaxy:malpedia="CDDS"
CDDS is also known as:
-
Macma
Choziosi (OS X)
A loader delivering malicious Chrome and Safari extensions.
The tag is: misp-galaxy:malpedia="Choziosi (OS X)"
Choziosi (OS X) is also known as:
-
ChromeLoader
-
Chropex
CloudMensis
The tag is: misp-galaxy:malpedia="CloudMensis"
CloudMensis is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cloud_mensis |
https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/ |
CoinThief
CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.
It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET’s Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.
The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.
The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.
The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version
The tag is: misp-galaxy:malpedia="CoinThief"
CoinThief is also known as:
Coldroot RAT
The tag is: misp-galaxy:malpedia="Coldroot RAT"
Coldroot RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat |
Convuster
The tag is: misp-galaxy:malpedia="Convuster"
Convuster is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster |
https://securelist.com/convuster-macos-adware-in-rust/101258/ |
CpuMeaner
The tag is: misp-galaxy:malpedia="CpuMeaner"
CpuMeaner is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner |
https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/ |
CreativeUpdater
The tag is: misp-galaxy:malpedia="CreativeUpdater"
CreativeUpdater is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater |
Crisis
The tag is: misp-galaxy:malpedia="Crisis"
Crisis is also known as:
Links |
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines |
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html |
Crossrider
The tag is: misp-galaxy:malpedia="Crossrider"
Crossrider is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider |
Cthulhu Stealer
The tag is: misp-galaxy:malpedia="Cthulhu Stealer"
Cthulhu Stealer is also known as:
Dacls (OS X)
According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.
Research shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.
The tag is: misp-galaxy:malpedia="Dacls (OS X)"
Dacls (OS X) is also known as:
Links |
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ |
DarthMiner
The tag is: misp-galaxy:malpedia="DarthMiner"
DarthMiner is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer |
DazzleSpy
The tag is: misp-galaxy:malpedia="DazzleSpy"
DazzleSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dazzle_spy |
Dockster
The tag is: misp-galaxy:malpedia="Dockster"
Dockster is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster |
http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html |
Dummy
The tag is: misp-galaxy:malpedia="Dummy"
Dummy is also known as:
Links |
Eleanor
Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.
The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.
The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.
The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:
-
Managing files
-
Listing processes
-
Connecting to various database management systems such as MySQL or SQLite
-
Connecting via bind/reverse shell
-
Executing shell command
-
Capturing and browsing images and videos from the victim’s webcam
-
Sending emails with an attachment
The tag is: misp-galaxy:malpedia="Eleanor"
Eleanor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor |
https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/ |
ElectroRAT
According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.
The tag is: misp-galaxy:malpedia="ElectroRAT"
ElectroRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat |
EvilOSX
The tag is: misp-galaxy:malpedia="EvilOSX"
EvilOSX is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx |
EvilQuest
According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.
It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.
The tag is: misp-galaxy:malpedia="EvilQuest"
EvilQuest is also known as:
-
ThiefQuest
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest |
https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/ |
FailyTale
The tag is: misp-galaxy:malpedia="FailyTale"
FailyTale is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale |
https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/ |
FinFisher (OS X)
The tag is: misp-galaxy:malpedia="FinFisher (OS X)"
FinFisher (OS X) is also known as:
FlashBack
The tag is: misp-galaxy:malpedia="FlashBack"
FlashBack is also known as:
-
FakeFlash
FruitFly
The tag is: misp-galaxy:malpedia="FruitFly"
FruitFly is also known as:
-
Quimitchin
FULLHOUSE
Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.
The tag is: misp-galaxy:malpedia="FULLHOUSE"
FULLHOUSE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.fullhouse |
https://www.mandiant.com/resources/blog/north-korea-supply-chain |
GIMMICK (OS X)
This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.
The tag is: misp-galaxy:malpedia="GIMMICK (OS X)"
GIMMICK (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick |
Gmera
According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.
Research shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.
The tag is: misp-galaxy:malpedia="Gmera"
Gmera is also known as:
-
Kassi
-
StockSteal
Links |
HiddenLotus
According to Malwarebytes, The HiddenLotus "dropper" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.
The tag is: misp-galaxy:malpedia="HiddenLotus"
HiddenLotus is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus |
HLOADER
The tag is: misp-galaxy:malpedia="HLOADER"
HLOADER is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hloader |
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn |
HZ RAT (OS X)
The tag is: misp-galaxy:malpedia="HZ RAT (OS X)"
HZ RAT (OS X) is also known as:
Links |
iMuler
The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:
-
capture screenshots
-
exfiltrate files to a remote computer
-
send various information about the infected computer
-
extract ZIP archive
-
download files from a remote computer and/or the Internet
-
run executable files
The tag is: misp-galaxy:malpedia="iMuler"
iMuler is also known as:
-
Revir
Interception (OS X)
The tag is: misp-galaxy:malpedia="Interception (OS X)"
Interception (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.interception |
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/ |
Janicab (OS X)
According to Patrick Wardle, this malware persists a python script as a cron job. Steps: 1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. 2. Appends its new job to this file. 3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.
The tag is: misp-galaxy:malpedia="Janicab (OS X)"
Janicab (OS X) is also known as:
JokerSpy
The tag is: misp-galaxy:malpedia="JokerSpy"
JokerSpy is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.jokerspy |
https://www.elastic.co/security-labs/inital-research-of-jokerspy |
KANDYKORN
The tag is: misp-galaxy:malpedia="KANDYKORN"
KANDYKORN is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.kandykorn |
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn |
KeRanger
The tag is: misp-galaxy:malpedia="KeRanger"
KeRanger is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger |
Keydnap
The tag is: misp-galaxy:malpedia="Keydnap"
Keydnap is also known as:
Kitmos
The tag is: misp-galaxy:malpedia="Kitmos"
Kitmos is also known as:
-
KitM
Links |
Komplex
The tag is: misp-galaxy:malpedia="Komplex"
Komplex is also known as:
-
JHUHUGIT
-
JKEYSKW
-
SedUploader
Kuiper (OS X)
The tag is: misp-galaxy:malpedia="Kuiper (OS X)"
Kuiper (OS X) is also known as:
Links |
https://www.trellix.com/about/newsroom/stories/research/the-evolution-of-the-kuiper-ransomware/ |
Lador
The tag is: misp-galaxy:malpedia="Lador"
Lador is also known as:
Links |
Lambert (OS X)
The tag is: misp-galaxy:malpedia="Lambert (OS X)"
Lambert (OS X) is also known as:
-
GreenLambert
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.lambert |
Laoshu
The tag is: misp-galaxy:malpedia="Laoshu"
Laoshu is also known as:
Links |
Leverage
The tag is: misp-galaxy:malpedia="Leverage"
Leverage is also known as:
LockBit (OS X)
The tag is: misp-galaxy:malpedia="LockBit (OS X)"
LockBit (OS X) is also known as:
MacDownloader
The tag is: misp-galaxy:malpedia="MacDownloader"
MacDownloader is also known as:
MacInstaller
The tag is: misp-galaxy:malpedia="MacInstaller"
MacInstaller is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller |
MacRansom
The tag is: misp-galaxy:malpedia="MacRansom"
MacRansom is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom |
https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service |
MacSpy
The tag is: misp-galaxy:malpedia="MacSpy"
MacSpy is also known as:
Links |
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service |
MacVX
The tag is: misp-galaxy:malpedia="MacVX"
MacVX is also known as:
Links |
MaMi
The tag is: misp-galaxy:malpedia="MaMi"
MaMi is also known as:
Links |
Manuscrypt
The tag is: misp-galaxy:malpedia="Manuscrypt"
Manuscrypt is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt |
Mokes (OS X)
The tag is: misp-galaxy:malpedia="Mokes (OS X)"
Mokes (OS X) is also known as:
Links |
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/ |
Mughthesec
The tag is: misp-galaxy:malpedia="Mughthesec"
Mughthesec is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec |
NetWire
The tag is: misp-galaxy:malpedia="NetWire"
NetWire is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.netwire |
https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/ |
OceanLotus
According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.
The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).
The tag is: misp-galaxy:malpedia="OceanLotus"
OceanLotus is also known as:
Olyx
The tag is: misp-galaxy:malpedia="Olyx"
Olyx is also known as:
Links |
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html |
oRAT
SentinelOne describes this as a malware written in Go, mixing own custom code with code from public repositories.
The tag is: misp-galaxy:malpedia="oRAT"
oRAT is also known as:
OSAMiner
The tag is: misp-galaxy:malpedia="OSAMiner"
OSAMiner is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer |
https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ |
Patcher
This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.
The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.
The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user’s files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user’s directories.
Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.
The tag is: misp-galaxy:malpedia="Patcher"
Patcher is also known as:
-
FileCoder
-
Findzip
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher |
http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/ |
PintSized
Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.
The tag is: misp-galaxy:malpedia="PintSized"
PintSized is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized |
https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/ |
Pirrit
The tag is: misp-galaxy:malpedia="Pirrit"
Pirrit is also known as:
POOLRAT
The tag is: misp-galaxy:malpedia="POOLRAT"
POOLRAT is also known as:
-
SIMPLESEA
-
SIMPLETEA
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.poolrat |
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise |
Poseidon (OS X)
Part of Mythic C2, written in Golang.
The tag is: misp-galaxy:malpedia="Poseidon (OS X)"
Poseidon (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.poseidon |
Poseidon Stealer
macOS infostealer sold by an individual named Rodrigo4, currently consisting of a disk image containing a Mach-O without app bundle, which when executed spawns osascript executing an AppleScript with the actual infostealer payload. The AppleScript payload will steal files by packing them in a ZIP archive and uploading them to a hardcoded C2 via HTTP.
The tag is: misp-galaxy:malpedia="Poseidon Stealer"
Poseidon Stealer is also known as:
-
Rodrigo Stealer
Proton RAT
Proton RAT is a Remote Access Trojan (RAT) specifically designed for macOS systems. It is known for providing attackers with complete remote control over the infected system, allowing the execution of commands, keystroke capturing, access to the camera and microphone, and the ability to steal credentials stored in browsers and other password managers. This malware typically spreads through malicious or modified applications, which, when downloaded and installed by unsuspecting users, trigger its payload. Proton RAT is notorious for its sophistication and evasion capabilities, including techniques to bypass detection by installed security solutions.
The tag is: misp-galaxy:malpedia="Proton RAT"
Proton RAT is also known as:
-
Calisto
Pwnet
Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.
The tag is: misp-galaxy:malpedia="Pwnet"
Pwnet is also known as:
Links |
https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/ |
Dok
Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.
The tag is: misp-galaxy:malpedia="Dok"
Dok is also known as:
-
Retefe
RustBucket (OS X)
The tag is: misp-galaxy:malpedia="RustBucket (OS X)"
RustBucket (OS X) is also known as:
Shlayer
According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.
In most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.
The tag is: misp-galaxy:malpedia="Shlayer"
Shlayer is also known as:
Silver Sparrow
According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.
The tag is: misp-galaxy:malpedia="Silver Sparrow"
Silver Sparrow is also known as:
SimpleTea (OS X)
SimpleTea is a RAT for macOS that is based on the same object-oriented project as SimpleTea for Linux (SimplexTea).
It also shares similarities with POOLRAT (also known as SIMPLESEA), like the supported commands or a single-byte XOR encryption of its configuration. However, the indices of commands are different.
SimpleTea for macOS was uploaded to VirusTotal from Hong Kong and China in September 2023.
The tag is: misp-galaxy:malpedia="SimpleTea (OS X)"
SimpleTea (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.simpletea |
SpectralBlur (OS X)
The tag is: misp-galaxy:malpedia="SpectralBlur (OS X)"
SpectralBlur (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.spectral_blur |
https://twitter.com/greglesnewich/status/1742575613834084684 |
SUGARLOADER
The tag is: misp-galaxy:malpedia="SUGARLOADER"
SUGARLOADER is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.sugarloader |
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn |
SysJoker (OS X)
The tag is: misp-galaxy:malpedia="SysJoker (OS X)"
SysJoker (OS X) is also known as:
systemd
General purpose backdoor
The tag is: misp-galaxy:malpedia="systemd"
systemd is also known as:
-
Demsty
-
ReverseWindow
Tsunami (OS X)
The tag is: misp-galaxy:malpedia="Tsunami (OS X)"
Tsunami (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami |
https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks |
Unidentified macOS 001 (UnionCryptoTrader)
The tag is: misp-galaxy:malpedia="Unidentified macOS 001 (UnionCryptoTrader)"
Unidentified macOS 001 (UnionCryptoTrader) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001 |
UpdateAgent
The tag is: misp-galaxy:malpedia="UpdateAgent"
UpdateAgent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent |
Uroburos (OS X)
The tag is: misp-galaxy:malpedia="Uroburos (OS X)"
Uroburos (OS X) is also known as:
Vigram
The tag is: misp-galaxy:malpedia="Vigram"
Vigram is also known as:
-
WizardUpdate
Links |
https://twitter.com/ConfiantIntel/status/1351559054565535745 |
WatchCat
The tag is: misp-galaxy:malpedia="WatchCat"
WatchCat is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat |
WindTail
The tag is: misp-galaxy:malpedia="WindTail"
WindTail is also known as:
Winnti (OS X)
The tag is: misp-galaxy:malpedia="Winnti (OS X)"
Winnti (OS X) is also known as:
Links |
WireLurker (OS X)
The tag is: misp-galaxy:malpedia="WireLurker (OS X)"
WireLurker (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker |
Wirenet (OS X)
The tag is: misp-galaxy:malpedia="Wirenet (OS X)"
Wirenet (OS X) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet |
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html |
X-Agent (OS X)
The tag is: misp-galaxy:malpedia="X-Agent (OS X)"
X-Agent (OS X) is also known as:
XCSSET
The tag is: misp-galaxy:malpedia="XCSSET"
XCSSET is also known as:
Xloader
Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.
Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.
Not to be confused with apk.xloader or ios.xloader.
The tag is: misp-galaxy:malpedia="Xloader"
Xloader is also known as:
-
Formbook
XSLCmd
The tag is: misp-galaxy:malpedia="XSLCmd"
XSLCmd is also known as:
Links |
Yort
The tag is: misp-galaxy:malpedia="Yort"
Yort is also known as:
Links |
https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ |
ZuRu
A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).
The tag is: misp-galaxy:malpedia="ZuRu"
ZuRu is also known as:
Links |
https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html |
Ani-Shell
Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.
The tag is: misp-galaxy:malpedia="Ani-Shell"
Ani-Shell is also known as:
-
anishell
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell |
ANTAK
Antak is a webshell written in ASP.Net which utilizes PowerShell.
The tag is: misp-galaxy:malpedia="ANTAK"
ANTAK is also known as:
Links |
https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx |
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html |
ASPXSpy
The tag is: misp-galaxy:malpedia="ASPXSpy"
ASPXSpy is also known as:
Behinder
A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distributed through Github.
The tag is: misp-galaxy:malpedia="Behinder"
Behinder is also known as:
c99shell
C99shell is a PHP backdoor that provides a lot of functionality, for example:
-
run shell commands;
-
download/upload files from and to the server (FTP functionality);
-
full access to all files on the hard disk;
-
self-delete functionality.
The tag is: misp-galaxy:malpedia="c99shell"
c99shell is also known as:
-
c99
Links |
https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html |
DEWMODE
FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion’s File Transfer Appliance. It is a PHP webshell that allows threat actors to view and download files in the victim machine. It also contains cleanup function to remove itself and clean the Apache log.
The tag is: misp-galaxy:malpedia="DEWMODE"
DEWMODE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode |
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf |
Ensikology
The tag is: misp-galaxy:malpedia="Ensikology"
Ensikology is also known as:
-
Ensiko
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology |
p0wnyshell
The tag is: misp-galaxy:malpedia="p0wnyshell"
p0wnyshell is also known as:
-
Ponyshell
-
Pownyshell
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/php.p0wnyshell |
Parrot TDS WebShell
In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.
The tag is: misp-galaxy:malpedia="Parrot TDS WebShell"
Parrot TDS WebShell is also known as:
PAS
The tag is: misp-galaxy:malpedia="PAS"
PAS is also known as:
Prometheus Backdoor
Backdoor written in php
The tag is: misp-galaxy:malpedia="Prometheus Backdoor"
Prometheus Backdoor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor |
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus |
RedHat Hacker WebShell
The tag is: misp-galaxy:malpedia="RedHat Hacker WebShell"
RedHat Hacker WebShell is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker |
https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp |
WSO
The tag is: misp-galaxy:malpedia="WSO"
WSO is also known as:
-
Webshell by Orb
Links |
https://www.aquasec.com/blog/loony-tunables-vulnerability-exploited-by-kinsing/ |
https://www.mandiant.com/resources/cloud-metadata-abuse-unc2903 |
Silence DDoS
The tag is: misp-galaxy:malpedia="Silence DDoS"
Silence DDoS is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos |
https://www.group-ib.com/resources/threat-research/silence.html |
BlackSun
Ransomware.
The tag is: misp-galaxy:malpedia="BlackSun"
BlackSun is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.blacksun |
https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html |
BONDUPDATER
The tag is: misp-galaxy:malpedia="BONDUPDATER"
BONDUPDATER is also known as:
-
Glimpse
-
Poison Frog
CASHY200
The tag is: misp-galaxy:malpedia="CASHY200"
CASHY200 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200 |
EugenLoader
A loader written in Powershell, usually delivered packaged in MSI/MSIX files.
The tag is: misp-galaxy:malpedia="EugenLoader"
EugenLoader is also known as:
-
FakeBat
-
NUMOZYLOD
-
PaykLoader
FlowerPower
The tag is: misp-galaxy:malpedia="FlowerPower"
FlowerPower is also known as:
-
BoBoStealer
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower |
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf |
FRat Loader
Loader used to deliver FRat (see family windows.frat)
The tag is: misp-galaxy:malpedia="FRat Loader"
FRat Loader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader |
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md |
FTCODE
The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.
The tag is: misp-galaxy:malpedia="FTCODE"
FTCODE is also known as:
GhostMiner
The tag is: misp-galaxy:malpedia="GhostMiner"
GhostMiner is also known as:
HTTP-Shell
The author describes this open source shell as follows. HTTP-Shell is Multiplatform Reverse Shell. This tool helps you to obtain a shell-like interface on a reverse connection over HTTP. Unlike other reverse shells, the main goal of the tool is to use it in conjunction with Microsoft Dev Tunnels, in order to get a connection as close as possible to a legitimate one.
This shell is not fully interactive, but displays any errors on screen (both Windows and Linux), is capable of uploading and downloading files, has command history, terminal cleanup (even with CTRL+L), automatic reconnection, movement between directories and supports sudo (or sudo su) on Linux-based OS.
The tag is: misp-galaxy:malpedia="HTTP-Shell"
HTTP-Shell is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.http_shell |
https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition |
JasperLoader
The tag is: misp-galaxy:malpedia="JasperLoader"
JasperLoader is also known as:
Lazyscripter
The tag is: misp-galaxy:malpedia="Lazyscripter"
Lazyscripter is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lazyscripter |
https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter |
LightBot
According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.
The tag is: misp-galaxy:malpedia="LightBot"
LightBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot |
Octopus (Powershell)
The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."
It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.
The tag is: misp-galaxy:malpedia="Octopus (Powershell)"
Octopus (Powershell) is also known as:
OilRig
The tag is: misp-galaxy:malpedia="OilRig"
OilRig is also known as:
Links |
https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html |
PhonyC2
The tag is: misp-galaxy:malpedia="PhonyC2"
PhonyC2 is also known as:
POSHSPY
The tag is: misp-galaxy:malpedia="POSHSPY"
POSHSPY is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy |
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html |
PowerBrace
The tag is: misp-galaxy:malpedia="PowerBrace"
PowerBrace is also known as:
PowerHarbor
PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.
The tag is: misp-galaxy:malpedia="PowerHarbor"
PowerHarbor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerharbor |
https://insight-jp.nttsecurity.com/post/102ignh/steelcloverpowerharbor |
PowerPepper
The tag is: misp-galaxy:malpedia="PowerPepper"
PowerPepper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper |
https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ |
POWERPIPE
The tag is: misp-galaxy:malpedia="POWERPIPE"
POWERPIPE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe |
POWERPLANT
This powershell code is a PowerShell written backdoor used by FIN7. Regarding to Mandiant that is was revealed to be a "vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server."
The tag is: misp-galaxy:malpedia="POWERPLANT"
POWERPLANT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerplant |
powershell_web_backdoor
The tag is: misp-galaxy:malpedia="powershell_web_backdoor"
powershell_web_backdoor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor |
PowerShortShell
The tag is: misp-galaxy:malpedia="PowerShortShell"
PowerShortShell is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershortshell |
PowerShower
The tag is: misp-galaxy:malpedia="PowerShower"
PowerShower is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower |
POWERSOURCE
POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.
The tag is: misp-galaxy:malpedia="POWERSOURCE"
POWERSOURCE is also known as:
PowerSpritz
The tag is: misp-galaxy:malpedia="PowerSpritz"
PowerSpritz is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz |
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
POWERSTAR
The tag is: misp-galaxy:malpedia="POWERSTAR"
POWERSTAR is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstar |
POWERSTATS
POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.
The tag is: misp-galaxy:malpedia="POWERSTATS"
POWERSTATS is also known as:
-
Valyria
POWERTON
The tag is: misp-galaxy:malpedia="POWERTON"
POWERTON is also known as:
POWERTRASH
This PowerShell written malware is an in-memory dropper used by FIN7 to execute the included/embedded payload. According to Mandiant’s blog article: "POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub."
The tag is: misp-galaxy:malpedia="POWERTRASH"
POWERTRASH is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powertrash |
PowerWare
The tag is: misp-galaxy:malpedia="PowerWare"
PowerWare is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware |
https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats |
PowerZure
PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
The tag is: misp-galaxy:malpedia="PowerZure"
PowerZure is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure |
PowerMagic
The tag is: misp-galaxy:malpedia="PowerMagic"
PowerMagic is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_magic |
https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger |
PowerRAT
The tag is: misp-galaxy:malpedia="PowerRAT"
PowerRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_rat |
PowGoop
DLL loader that decrypts and runs a powershell-based downloader.
The tag is: misp-galaxy:malpedia="PowGoop"
PowGoop is also known as:
POWRUNER
The tag is: misp-galaxy:malpedia="POWRUNER"
POWRUNER is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner |
PresFox
The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.
The tag is: misp-galaxy:malpedia="PresFox"
PresFox is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox |
QUADAGENT
The tag is: misp-galaxy:malpedia="QUADAGENT"
QUADAGENT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent |
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/ |
RandomQuery (Powershell)
A set of powershell scripts, using services like Google Docs and Dropbox as C2.
The tag is: misp-galaxy:malpedia="RandomQuery (Powershell)"
RandomQuery (Powershell) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.randomquery |
RMOT
According to Trellix, this is a first-stage, powershell-based malware dropped via Excel/VBS. It is able to establish a foothold and exfiltrate data. Targets identified include hotels in Macao.
The tag is: misp-galaxy:malpedia="RMOT"
RMOT is also known as:
Links |
RogueRobin
The tag is: misp-galaxy:malpedia="RogueRobin"
RogueRobin is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin |
https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/ |
Royal Ransom (Powershell)
Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.
The tag is: misp-galaxy:malpedia="Royal Ransom (Powershell)"
Royal Ransom (Powershell) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.royal_ransom |
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a |
Schtasks
The tag is: misp-galaxy:malpedia="Schtasks"
Schtasks is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks |
https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1 |
skyrat
The tag is: misp-galaxy:malpedia="skyrat"
skyrat is also known as:
Links |
sLoad
sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.
The tag is: misp-galaxy:malpedia="sLoad"
sLoad is also known as:
-
Starslord
Snugy
The tag is: misp-galaxy:malpedia="Snugy"
Snugy is also known as:
Links |
https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/ |
STEELHOOK
The tag is: misp-galaxy:malpedia="STEELHOOK"
STEELHOOK is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.steelhook |
SUBTLE-PAWS
The tag is: misp-galaxy:malpedia="SUBTLE-PAWS"
SUBTLE-PAWS is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.subtle_paws |
Swrort Stager
The tag is: misp-galaxy:malpedia="Swrort Stager"
Swrort Stager is also known as:
Links |
Tater PrivEsc
The tag is: misp-galaxy:malpedia="Tater PrivEsc"
Tater PrivEsc is also known as:
Links |
ThunderShell
The tag is: misp-galaxy:malpedia="ThunderShell"
ThunderShell is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell |
Unidentified PS 001
Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.
The tag is: misp-galaxy:malpedia="Unidentified PS 001"
Unidentified PS 001 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001 |
https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/ |
Unidentified PS 002 (RAT)
A Powershell-based RAT capable of pulling further payloads, delivered through Russia-themed phishing mails.
The tag is: misp-galaxy:malpedia="Unidentified PS 002 (RAT)"
Unidentified PS 002 (RAT) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002 |
Unidentified PS 003 (RAT)
This malware is a RAT written in PowerShell. It has the following capabilities: Downloading and Uploading files, loading and execution of a PowerShell script, execution of a specific command. It was observed by Malwarebytes LABS Threat Intelligence Team in a newly discovered campaign: this campaigns tries to lure Germans with a promise of updates on the current threat situation in Ukraine according to Malwarebyte LABS.
The tag is: misp-galaxy:malpedia="Unidentified PS 003 (RAT)"
Unidentified PS 003 (RAT) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_003 |
Unidentified PS 004 (RAT)
The tag is: misp-galaxy:malpedia="Unidentified PS 004 (RAT)"
Unidentified PS 004 (RAT) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_004 |
ViperSoftX
The tag is: misp-galaxy:malpedia="ViperSoftX"
ViperSoftX is also known as:
WannaMine
The tag is: misp-galaxy:malpedia="WannaMine"
WannaMine is also known as:
WannaRen Downloader
The tag is: misp-galaxy:malpedia="WannaRen Downloader"
WannaRen Downloader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader |
WMImplant
The tag is: misp-galaxy:malpedia="WMImplant"
WMImplant is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant |
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html |
AndroxGh0st
According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.
The tag is: misp-galaxy:malpedia="AndroxGh0st"
AndroxGh0st is also known as:
-
Androx
-
AndroxGhost
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.androxgh0st |
https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/ |
Archivist
The tag is: misp-galaxy:malpedia="Archivist"
Archivist is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist |
Ares (Python)
Ares is a Python RAT.
The tag is: misp-galaxy:malpedia="Ares (Python)"
Ares (Python) is also known as:
Links |
BlankGrabber
Stealer written in Python 3, typically distributed bundled via PyInstaller.
The tag is: misp-galaxy:malpedia="BlankGrabber"
BlankGrabber is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber |
https://www.linkedin.com/feed/update/urn:li:activity:7247179869443264512/ |
BrickerBot
The tag is: misp-galaxy:malpedia="BrickerBot"
BrickerBot is also known as:
Creal Stealer
Stealer written in Python.
The tag is: misp-galaxy:malpedia="Creal Stealer"
Creal Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.creal_stealer |
https://cyble.com/blog/creal-new-stealer-targeting-cryptocurrency-users-via-phishing-sites/ |
DropboxC2C
The tag is: misp-galaxy:malpedia="DropboxC2C"
DropboxC2C is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c |
Empyrean
Discord Stealer written in Python with Javascript-based inject files.
The tag is: misp-galaxy:malpedia="Empyrean"
Empyrean is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.empyrean |
https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord |
Evil Ant
Ransomware written in Python.
The tag is: misp-galaxy:malpedia="Evil Ant"
Evil Ant is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.evil_ant |
https://labs.k7computing.com/index.php/python-ciphering-delving-into-evil-ants-ransomwares-tactics/ |
Guard
According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.
The tag is: misp-galaxy:malpedia="Guard"
Guard is also known as:
Links |
InvisibleFerret
The tag is: misp-galaxy:malpedia="InvisibleFerret"
InvisibleFerret is also known as:
KeyPlexer
The tag is: misp-galaxy:malpedia="KeyPlexer"
KeyPlexer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer |
LaZagne
The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.
The tag is: misp-galaxy:malpedia="LaZagne"
LaZagne is also known as:
Lofy
The tag is: misp-galaxy:malpedia="Lofy"
Lofy is also known as:
-
LofyLife
Links |
https://securelist.com/lofylife-malicious-npm-packages/107014/ |
Loki RAT
This RAT written in Python is an open-source fork of the Ares RAT. This malware integrates additional modules, like recording, lockscreen, and locate options. It was used in a customized form version by El Machete APT in an ongoing champaign since 2020. The original code can be found at: https://github.com/TheGeekHT/Loki.Rat/
The tag is: misp-galaxy:malpedia="Loki RAT"
Loki RAT is also known as:
Links |
MASEPIE
The tag is: misp-galaxy:malpedia="MASEPIE"
MASEPIE is also known as:
N3Cr0m0rPh
An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.
The tag is: misp-galaxy:malpedia="N3Cr0m0rPh"
N3Cr0m0rPh is also known as:
-
FreakOut
-
Necro
NetWorm
The tag is: misp-galaxy:malpedia="NetWorm"
NetWorm is also known as:
Links |
PIRAT
The tag is: misp-galaxy:malpedia="PIRAT"
PIRAT is also known as:
Links |
Poet RAT
Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.
The tag is: misp-galaxy:malpedia="Poet RAT"
Poet RAT is also known as:
poweRAT
The tag is: misp-galaxy:malpedia="poweRAT"
poweRAT is also known as:
Links |
https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi |
pupy (Python)
The tag is: misp-galaxy:malpedia="pupy (Python)"
pupy (Python) is also known as:
PyAesLoader
The tag is: misp-galaxy:malpedia="PyAesLoader"
PyAesLoader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader |
PyArk
The tag is: misp-galaxy:malpedia="PyArk"
PyArk is also known as:
Links |
pyback
The tag is: misp-galaxy:malpedia="pyback"
pyback is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001 |
PY#RATION
According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.
The tag is: misp-galaxy:malpedia="PY#RATION"
PY#RATION is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyration |
https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/ |
PyVil
PyVil RAT
The tag is: misp-galaxy:malpedia="PyVil"
PyVil is also known as:
Links |
https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat |
QUIETBOARD
The tag is: misp-galaxy:malpedia="QUIETBOARD"
QUIETBOARD is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.quietboard |
https://www.mandiant.com/resources/blog/unc4990-evolution-usb-malware |
Responder
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
The tag is: misp-galaxy:malpedia="Responder"
Responder is also known as:
-
SpiderLabs Responder
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.responder |
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/ |
Saphyra
The tag is: misp-galaxy:malpedia="Saphyra"
Saphyra is also known as:
Links |
https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/ |
Serpent
According to Proofpoint, this is a backdoor written in Python, used in attacks against French entities in the construction, real estate, and government industries.
The tag is: misp-galaxy:malpedia="Serpent"
Serpent is also known as:
Links |
https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html |
https://labs.k7computing.com/index.php/uncovering-the-serpent/ |
SpaceCow
The tag is: misp-galaxy:malpedia="SpaceCow"
SpaceCow is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow |
stealler
The tag is: misp-galaxy:malpedia="stealler"
stealler is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler |
Stitch
The tag is: misp-galaxy:malpedia="Stitch"
Stitch is also known as:
Links |
Stormous
The tag is: misp-galaxy:malpedia="Stormous"
Stormous is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.stormous |
unidentified_002
The tag is: misp-galaxy:malpedia="unidentified_002"
unidentified_002 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002 |
unidentified_003
The tag is: misp-galaxy:malpedia="unidentified_003"
unidentified_003 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003 |
UPSTYLE
The tag is: misp-galaxy:malpedia="UPSTYLE"
UPSTYLE is also known as:
Links |
Venomous
Ransomware written in Python and delivered as compiled executable created using PyInstaller.
The tag is: misp-galaxy:malpedia="Venomous"
Venomous is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous |
https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/ |
Venus Stealer
Venus Stealer is a python based Infostealer observed early 2023.
The tag is: misp-galaxy:malpedia="Venus Stealer"
Venus Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.venus_stealer |
https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/ |
VileRAT
The tag is: misp-galaxy:malpedia="VileRAT"
VileRAT is also known as:
Links |
https://stairwell.com/resources/technical-analysis-the-silent-torrent-of-vilerat/ |
W4SP Stealer
A basic info stealer w/ some capability to inject code into legit applications.
The tag is: misp-galaxy:malpedia="W4SP Stealer"
W4SP Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.w4sp_stealer |
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/ |
WIREFIRE
The tag is: misp-galaxy:malpedia="WIREFIRE"
WIREFIRE is also known as:
-
GIFTEDVISITOR
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/py.wirefire |
KV
The tag is: misp-galaxy:malpedia="KV"
KV is also known as:
Links |
https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/ |
https://www.securityweek.com/wp-content/uploads/2024/01/Volt-Typhoon.pdf |
xzbot
A backdoor brought into version 5.6.0 and 5.6.1 of compression library/tool xz/liblzma, which was intended to enable access via (Open)SSH on affected servers.
The tag is: misp-galaxy:malpedia="xzbot"
xzbot is also known as:
-
xzorcist
FlexiSpy (symbian)
The tag is: misp-galaxy:malpedia="FlexiSpy (symbian)"
FlexiSpy (symbian) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy |
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
BASICSTAR
The tag is: misp-galaxy:malpedia="BASICSTAR"
BASICSTAR is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.basicstar |
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/ |
CageyChameleon
CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.
The tag is: misp-galaxy:malpedia="CageyChameleon"
CageyChameleon is also known as:
-
Cabbage RAT
forbiks
The tag is: misp-galaxy:malpedia="forbiks"
forbiks is also known as:
-
Forbix
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks |
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99 |
GGLdr
The tag is: misp-galaxy:malpedia="GGLdr"
GGLdr is also known as:
Links |
https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control |
GlowSpark
The tag is: misp-galaxy:malpedia="GlowSpark"
GlowSpark is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.glowspark |
Grinju Downloader
The tag is: misp-galaxy:malpedia="Grinju Downloader"
Grinju Downloader is also known as:
HALFBAKED
The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:
info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries processList: Send list of process running screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1) runvbs: Executes a VB script runexe: Executes EXE file runps1: Executes PowerShell script delete: Delete the specified file update: Update the specified file
The tag is: misp-galaxy:malpedia="HALFBAKED"
HALFBAKED is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked |
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html |
HOMESTEEL
The tag is: misp-galaxy:malpedia="HOMESTEEL"
HOMESTEEL is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.homesteel |
Iloveyou
The tag is: misp-galaxy:malpedia="Iloveyou"
Iloveyou is also known as:
-
Love Bug
-
LoveLetter
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou |
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186 |
Janicab (VBScript)
The tag is: misp-galaxy:malpedia="Janicab (VBScript)"
Janicab (VBScript) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.janicab |
https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/ |
lampion
Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files. The malware targets banking clients in Portugal.
The tag is: misp-galaxy:malpedia="lampion"
lampion is also known as:
LitterDrifter
The tag is: misp-galaxy:malpedia="LitterDrifter"
LitterDrifter is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.litterdrifter |
https://research.checkpoint.com/2023/malware-spotlight-into-the-trash-analyzing-litterdrifter/ |
lockscreen
The tag is: misp-galaxy:malpedia="lockscreen"
lockscreen is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen |
MOUSEISLAND
MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID.
The tag is: misp-galaxy:malpedia="MOUSEISLAND"
MOUSEISLAND is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland |
NodeJS Ransomware
Downloads NodeJS when deployed.
The tag is: misp-galaxy:malpedia="NodeJS Ransomware"
NodeJS Ransomware is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom |
https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html |
RandomQuery (VBScript)
According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.
The tag is: misp-galaxy:malpedia="RandomQuery (VBScript)"
RandomQuery (VBScript) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.randomquery |
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/ |
Starfighter (VBScript)
According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.
The tag is: misp-galaxy:malpedia="Starfighter (VBScript)"
Starfighter (VBScript) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter |
STARWHALE
The tag is: misp-galaxy:malpedia="STARWHALE"
STARWHALE is also known as:
-
Canopy
-
SloughRAT
Unidentified VBS 001
The tag is: misp-galaxy:malpedia="Unidentified VBS 001"
Unidentified VBS 001 is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001 |
Unidentified 002 (Operation Kremlin)
Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.
The tag is: misp-galaxy:malpedia="Unidentified 002 (Operation Kremlin)"
Unidentified 002 (Operation Kremlin) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002 |
Unidentified 003 (Gamaredon Downloader)
The tag is: misp-galaxy:malpedia="Unidentified 003 (Gamaredon Downloader)"
Unidentified 003 (Gamaredon Downloader) is also known as:
Unidentified VBS 004 (RAT)
Lab52 describes this as a light first-stage RAT used by MuddyWater and observed samples between at least November 2020 and January 2022.
The tag is: misp-galaxy:malpedia="Unidentified VBS 004 (RAT)"
Unidentified VBS 004 (RAT) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_004 |
https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/ |
Unidentified VBS 005 (Telegram Loader)
The tag is: misp-galaxy:malpedia="Unidentified VBS 005 (Telegram Loader)"
Unidentified VBS 005 (Telegram Loader) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_005 |
Unidentified VBS 006 (Telegram Loader)
The tag is: misp-galaxy:malpedia="Unidentified VBS 006 (Telegram Loader)"
Unidentified VBS 006 (Telegram Loader) is also known as:
VBREVSHELL
According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.
The tag is: misp-galaxy:malpedia="VBREVSHELL"
VBREVSHELL is also known as:
WasabiSeed
The tag is: misp-galaxy:malpedia="WasabiSeed"
WasabiSeed is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.wasabiseed |
https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/ |
WhiteShadow
The tag is: misp-galaxy:malpedia="WhiteShadow"
WhiteShadow is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow |
000Stealer
The tag is: misp-galaxy:malpedia="000Stealer"
000Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.000stealer |
0bj3ctivityStealer
Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.
The tag is: misp-galaxy:malpedia="0bj3ctivityStealer"
0bj3ctivityStealer is also known as:
-
PXRECVOWEIWOEI
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.0bj3ctivity_stealer |
https://mandarnaik016.in/blog/2024-09-21-malware-analysis-pxrecvoweiwoei/ |
3CX Backdoor (Windows)
According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.
The tag is: misp-galaxy:malpedia="3CX Backdoor (Windows)"
3CX Backdoor (Windows) is also known as:
-
SUDDENICON
404 Keylogger
Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.
The tag is: misp-galaxy:malpedia="404 Keylogger"
404 Keylogger is also known as:
-
404KeyLogger
-
Snake Keylogger
4h_rat
The tag is: misp-galaxy:malpedia="4h_rat"
4h_rat is also known as:
Links |
https://cocomelonc.github.io/malware/2023/09/25/malware-trick-36.html |
https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html |
5.t Downloader
Downloader used in suspected APT attack against Vietnam.
The tag is: misp-galaxy:malpedia="5.t Downloader"
5.t Downloader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.5t_downloader |
https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/ |
7ev3n
The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."
The tag is: misp-galaxy:malpedia="7ev3n"
7ev3n is also known as:
Links |
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n |
https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/ |
8Base
The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.
The tag is: misp-galaxy:malpedia="8Base"
8Base is also known as:
8.t Dropper
8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim’s machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.
The tag is: misp-galaxy:malpedia="8.t Dropper"
8.t Dropper is also known as:
-
8t_dropper
-
RoyalRoad
9002 RAT
9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim’s machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.
The tag is: misp-galaxy:malpedia="9002 RAT"
9002 RAT is also known as:
-
HOMEUNIX
-
Hydraq
-
McRAT
Abaddon
Uses Discord as C&C, has ransomware feature.
The tag is: misp-galaxy:malpedia="Abaddon"
Abaddon is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon |
AbaddonPOS
MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.
The tag is: misp-galaxy:malpedia="AbaddonPOS"
AbaddonPOS is also known as:
-
PinkKite
-
TinyPOS
abantes
The tag is: misp-galaxy:malpedia="abantes"
abantes is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes |
Abbath Banker
The tag is: misp-galaxy:malpedia="Abbath Banker"
Abbath Banker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker |
ABCsync
The tag is: misp-galaxy:malpedia="ABCsync"
ABCsync is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.abcsync |
AbSent Loader
The tag is: misp-galaxy:malpedia="AbSent Loader"
AbSent Loader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader |
ACBackdoor (Windows)
A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.
The tag is: misp-galaxy:malpedia="ACBackdoor (Windows)"
ACBackdoor (Windows) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor |
ACEHASH
ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).
The tag is: misp-galaxy:malpedia="ACEHASH"
ACEHASH is also known as:
AcidBox
Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.
The tag is: misp-galaxy:malpedia="AcidBox"
AcidBox is also known as:
-
MagicScroll
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox |
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html |
AcridRain
AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.
The tag is: misp-galaxy:malpedia="AcridRain"
AcridRain is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain |
https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/ |
Acronym
The tag is: misp-galaxy:malpedia="Acronym"
Acronym is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym |
ACR Stealer
First introduced in March 2024, ACR Stealer is an information stealer sold as a Malware-as-a-Service (MaaS) on Russian-speaking cybercrime forums by a threat actor named "SheldIO". Researchers posit that this malware is an evolved version of the GrMsk Stealer, which likely aligns with the private stealer that SheldIO has been selling since July 2023. The malware, written in C++, is compatible with Windows 7 through 10, and the seller manages all command and control (C2) infrastructure. ACR Stealer can harvest system information, stored credentials, web browser cookies, cryptocurrency wallets, and configuration files for various programs. Additionally, it employs the dead drop resolver (DDR) technique to obfuscate the actual C2 infrastructure.
The tag is: misp-galaxy:malpedia="ACR Stealer"
ACR Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer |
https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed |
Action RAT
The tag is: misp-galaxy:malpedia="Action RAT"
Action RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat |
Adamantium Thief
The tag is: misp-galaxy:malpedia="Adamantium Thief"
Adamantium Thief is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief |
AdamLocker
Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.
The tag is: misp-galaxy:malpedia="AdamLocker"
AdamLocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker |
https://twitter.com/JaromirHorejsi/status/813712587997249536 |
Adhubllka
Some Ransomware distributed by TA547 in Australia
The tag is: misp-galaxy:malpedia="Adhubllka"
Adhubllka is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka |
AdKoob
The tag is: misp-galaxy:malpedia="AdKoob"
AdKoob is also known as:
Links |
https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/ |
AdvisorsBot
AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.
The tag is: misp-galaxy:malpedia="AdvisorsBot"
AdvisorsBot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot |
Adylkuzz
The tag is: misp-galaxy:malpedia="Adylkuzz"
Adylkuzz is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz |
AESRT
Ransomware written using .NET.
The tag is: misp-galaxy:malpedia="AESRT"
AESRT is also known as:
Links |
Afrodita
The tag is: misp-galaxy:malpedia="Afrodita"
Afrodita is also known as:
AgendaCrypt
Ransomware written in Go.
The tag is: misp-galaxy:malpedia="AgendaCrypt"
AgendaCrypt is also known as:
-
Agenda
-
Qilin
Agent.BTZ
The tag is: misp-galaxy:malpedia="Agent.BTZ"
Agent.BTZ is also known as:
-
ComRAT
-
Minit
-
Sun rootkit
Agent Racoon
Agent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing randomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a unique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an inherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware, active since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits and government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive Updater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection.
The tag is: misp-galaxy:malpedia="Agent Racoon"
Agent Racoon is also known as:
Agent Tesla
A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host’s clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
The tag is: misp-galaxy:malpedia="Agent Tesla"
Agent Tesla is also known as:
-
AgenTesla
-
AgentTesla
-
Negasteal
AgfSpy
The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.
The tag is: misp-galaxy:malpedia="AgfSpy"
AgfSpy is also known as:
Links |
Ahtapot
The tag is: misp-galaxy:malpedia="Ahtapot"
Ahtapot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot |
https://www.sentinelone.com/wp-content/uploads/2021/09/SentinelOne_-SentinelLabs_EGoManiac_WP_V4.pdf |
Akira (Windows)
The tag is: misp-galaxy:malpedia="Akira (Windows)"
Akira (Windows) is also known as:
Albaniiutas
The tag is: misp-galaxy:malpedia="Albaniiutas"
Albaniiutas is also known as:
-
BlueTraveller
Aldibot
According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.
This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.
This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.
This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.
This backdoor executes commands from a remote malicious user, effectively compromising the affected system.
The tag is: misp-galaxy:malpedia="Aldibot"
Aldibot is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot |
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot |
Alfonso Stealer
The tag is: misp-galaxy:malpedia="Alfonso Stealer"
Alfonso Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer |
Project Alice
The tag is: misp-galaxy:malpedia="Project Alice"
Project Alice is also known as:
-
AliceATM
-
PrAlice
Alina POS
The tag is: misp-galaxy:malpedia="Alina POS"
Alina POS is also known as:
-
alina_eagle
-
alina_spark
-
katrina
AllaKore
AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.
The tag is: misp-galaxy:malpedia="AllaKore"
AllaKore is also known as:
Allaple
The tag is: misp-galaxy:malpedia="Allaple"
Allaple is also known as:
-
Starman
AllcomeClipper
Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.
The tag is: misp-galaxy:malpedia="AllcomeClipper"
AllcomeClipper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.allcomeclipper |
Almanahe
The tag is: misp-galaxy:malpedia="Almanahe"
Almanahe is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe |
Alma Communicator
The tag is: misp-galaxy:malpedia="Alma Communicator"
Alma Communicator is also known as:
AlmaLocker
The tag is: misp-galaxy:malpedia="AlmaLocker"
AlmaLocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker |
AlmondRAT
AlmondRAT is a .NET Remote Access Trojan deployed by the Bitter APT group. It is capable of collecting system information, modifying and exfiltrating data and allows for remote command execution.
The tag is: misp-galaxy:malpedia="AlmondRAT"
AlmondRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.almondrat |
ALPC Local PrivEsc
The tag is: misp-galaxy:malpedia="ALPC Local PrivEsc"
ALPC Local PrivEsc is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe |
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/ |
Alphabet Ransomware
The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.
The virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.
The tag is: misp-galaxy:malpedia="Alphabet Ransomware"
Alphabet Ransomware is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware |
https://twitter.com/JaromirHorejsi/status/813714602466877440 |
AlphaLocker
A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.
AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware’s author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.
AlphaLocker’s encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user’s computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.
To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.
The tag is: misp-galaxy:malpedia="AlphaLocker"
AlphaLocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker |
AlphaNC
The tag is: misp-galaxy:malpedia="AlphaNC"
AlphaNC is also known as:
AlphaSeed
The tag is: misp-galaxy:malpedia="AlphaSeed"
AlphaSeed is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphaseed |
Alreay
Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.
It uses either RC4 or DES for encryption of its configuration, which is stored in the registry.
It sends detailed information about the victim’s environment, like computer name, Windows version, system locale, and network configuration.
It supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.
It comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).
Alreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.
The tag is: misp-galaxy:malpedia="Alreay"
Alreay is also known as:
Links |
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/ |
Alureon
The tag is: misp-galaxy:malpedia="Alureon"
Alureon is also known as:
-
Olmarik
-
Pihar
-
TDL
-
TDSS
-
wowlik
Amadey
Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.
The tag is: misp-galaxy:malpedia="Amadey"
Amadey is also known as:
AMTsol
The tag is: misp-galaxy:malpedia="AMTsol"
AMTsol is also known as:
-
Adupihan
Links |
Anatova Ransomware
Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.
The tag is: misp-galaxy:malpedia="Anatova Ransomware"
Anatova Ransomware is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom |
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/ |
Anchor
Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.
The tag is: misp-galaxy:malpedia="Anchor"
Anchor is also known as:
AnchorMail
The tag is: misp-galaxy:malpedia="AnchorMail"
AnchorMail is also known as:
-
ANCHOR.MAIL
-
Delegatz
AnchorMTea
Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.
The tag is: misp-galaxy:malpedia="AnchorMTea"
AnchorMTea is also known as:
Andardoor
The tag is: misp-galaxy:malpedia="Andardoor"
Andardoor is also known as:
-
ROCKHATCH
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor |
Andromeda
The tag is: misp-galaxy:malpedia="Andromeda"
Andromeda is also known as:
-
B106-Gamarue
-
B67-SS-Gamarue
-
Gamarue
-
b66
AndroMut
According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.
The tag is: misp-galaxy:malpedia="AndroMut"
AndroMut is also known as:
-
Gelup
Anel
The tag is: misp-galaxy:malpedia="Anel"
Anel is also known as:
-
UPPERCUT
-
lena
AnteFrigus
Ransomware that demands payment in Bitcoin.
The tag is: misp-galaxy:malpedia="AnteFrigus"
AnteFrigus is also known as:
Antilam
The tag is: misp-galaxy:malpedia="Antilam"
Antilam is also known as:
-
Latinus
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam |
Anubis (Windows)
According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.
The tag is: misp-galaxy:malpedia="Anubis (Windows)"
Anubis (Windows) is also known as:
-
Anubis Stealer
Anubis Loader
A loader written in Go, tracked since at least October 2021 by ZeroFox. Originally named Kraken and rebranded to Anubis in February 2022.
The tag is: misp-galaxy:malpedia="Anubis Loader"
Anubis Loader is also known as:
-
Kraken
-
Pepega
APERETIF
The tag is: misp-galaxy:malpedia="APERETIF"
APERETIF is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif |
https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/ |
Apocalipto
The tag is: misp-galaxy:malpedia="Apocalipto"
Apocalipto is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto |
https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf |
Apocalypse
The tag is: misp-galaxy:malpedia="Apocalypse"
Apocalypse is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom |
Apollo
This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.
The tag is: misp-galaxy:malpedia="Apollo"
Apollo is also known as:
Links |
Apostle
Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.
The tag is: misp-galaxy:malpedia="Apostle"
Apostle is also known as:
AppleJeus (Windows)
The tag is: misp-galaxy:malpedia="AppleJeus (Windows)"
AppleJeus (Windows) is also known as:
Appleseed
The tag is: misp-galaxy:malpedia="Appleseed"
Appleseed is also known as:
-
JamBog
ArdaMax
According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product’s website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.
This program can be configured to a complete stealth mode, with password protection, to avoid user detection.
The information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).
The tag is: misp-galaxy:malpedia="ArdaMax"
ArdaMax is also known as:
Arefty
The tag is: misp-galaxy:malpedia="Arefty"
Arefty is also known as:
Links |
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/ |
Ares (Windows)
A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.
The tag is: misp-galaxy:malpedia="Ares (Windows)"
Ares (Windows) is also known as:
Links |
https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan |
AresLoader
AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”
The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:
-
Written in C/C++
-
Supports 64-bit payloads
-
Makes it look like malware spawned by another process
-
Prevents non-Microsoft signed binaries from being injected into malware
-
Hides suspicious imported Windows APIs
-
Leverages anti-analysis techniques to avoid reverse engineering
Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.
The tag is: misp-galaxy:malpedia="AresLoader"
AresLoader is also known as:
ArguePatch
During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called "ArguePatch" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray’s Remote Debugger Server (win32_remote.exe). ArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.
The tag is: misp-galaxy:malpedia="ArguePatch"
ArguePatch is also known as:
Aria-body
The tag is: misp-galaxy:malpedia="Aria-body"
Aria-body is also known as:
Arid Gopher
This malware is a Go written variant of Micropsia and according to DeepInstinct it is still in development.
The tag is: misp-galaxy:malpedia="Arid Gopher"
Arid Gopher is also known as:
AridHelper
Helper malware associated with AridGopher, which will provide an alternative persistence mechanism in case "360 total security" is found on a target system.
The tag is: misp-galaxy:malpedia="AridHelper"
AridHelper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.aridhelper |
https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant |
Arik Keylogger
The tag is: misp-galaxy:malpedia="Arik Keylogger"
Arik Keylogger is also known as:
-
Aaron Keylogger
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger |
Arkei Stealer
Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker’s panel. Later, it was forked and used as a base to create Vidar stealer.
The tag is: misp-galaxy:malpedia="Arkei Stealer"
Arkei Stealer is also known as:
-
ArkeiStealer
ArrowRAT
It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.
The tag is: misp-galaxy:malpedia="ArrowRAT"
ArrowRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat |
ARS VBS Loader
ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.
The tag is: misp-galaxy:malpedia="ARS VBS Loader"
ARS VBS Loader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader |
https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/ |
ARTFULPIE
The tag is: misp-galaxy:malpedia="ARTFULPIE"
ARTFULPIE is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie |
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/ |
Artra Downloader
The tag is: misp-galaxy:malpedia="Artra Downloader"
Artra Downloader is also known as:
Links |
https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html |
Asbit
The tag is: misp-galaxy:malpedia="Asbit"
Asbit is also known as:
Links |
https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan |
AscentLoader
The tag is: misp-galaxy:malpedia="AscentLoader"
AscentLoader is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader |
ASPC
The tag is: misp-galaxy:malpedia="ASPC"
ASPC is also known as:
Links |
Asprox
The tag is: misp-galaxy:malpedia="Asprox"
Asprox is also known as:
-
Aseljo
-
BadSrc
Asruex
The tag is: misp-galaxy:malpedia="Asruex"
Asruex is also known as:
Links |
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html |
Astaroth
First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.
The tag is: misp-galaxy:malpedia="Astaroth"
Astaroth is also known as:
-
Guildma
Astasia
Astasia is a banking trojan that spreads through phishing emails that contain an executable attachment. Once the attachment is executed, Astasia downloads and installs a trojan that runs in the background. The trojan can steal personal information, such as passwords and credit card numbers, from victims.
The tag is: misp-galaxy:malpedia="Astasia"
Astasia is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.astasia |
AstraLocker
The tag is: misp-galaxy:malpedia="AstraLocker"
AstraLocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker |
https://www.emsisoft.com/ransomware-decryption-tools/astralocker |
AsyncRAT
AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.
The tag is: misp-galaxy:malpedia="AsyncRAT"
AsyncRAT is also known as:
Atharvan
The tag is: misp-galaxy:malpedia="Atharvan"
Atharvan is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan |
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research |
Athena
Part of the Mythic framework, payload in C# (.NET 6), support HTTP, Websockets, Slack, SMB for C2.
The tag is: misp-galaxy:malpedia="Athena"
Athena is also known as:
Links |
AthenaGo RAT
The tag is: misp-galaxy:malpedia="AthenaGo RAT"
AthenaGo RAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago |
ATI-Agent
The tag is: misp-galaxy:malpedia="ATI-Agent"
ATI-Agent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent |
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
Atlantida
The tag is: misp-galaxy:malpedia="Atlantida"
Atlantida is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.atlantida |
https://research.checkpoint.com/2024/stargazers-ghost-network/ |
AtlasAgent
The tag is: misp-galaxy:malpedia="AtlasAgent"
AtlasAgent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.atlas_agent |
ATMii
The tag is: misp-galaxy:malpedia="ATMii"
ATMii is also known as:
Links |
https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/ |
ATMitch
The tag is: misp-galaxy:malpedia="ATMitch"
ATMitch is also known as:
Atmosphere
The tag is: misp-galaxy:malpedia="Atmosphere"
Atmosphere is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere |
https://www.group-ib.com/resources/threat-research/silence.html |
ATMSpitter
The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.
The tag is: misp-galaxy:malpedia="ATMSpitter"
ATMSpitter is also known as:
ATOMSILO
According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the ".ATOMSILO" to its filename. It renames "1.jpg" to "1.jpg.ATOMSILO", "2.jpg" to "2.jpg.ATOMSILO", and so on. As its ransom note, AtomSilo creates the "README-FILE-COMPUTER-NAME-CREATION-TIME.hta" file.
The tag is: misp-galaxy:malpedia="ATOMSILO"
ATOMSILO is also known as:
Attor
Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.
Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.
The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim’s screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.
The tag is: misp-galaxy:malpedia="Attor"
Attor is also known as:
August Stealer
The tag is: misp-galaxy:malpedia="August Stealer"
August Stealer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer |
https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html |
AuKill
According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
The tag is: misp-galaxy:malpedia="AuKill"
AuKill is also known as:
-
SophosKill
Links |
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ |
Auriga
The tag is: misp-galaxy:malpedia="Auriga"
Auriga is also known as:
-
Riodrv
Links |
Aurora
Ransomware
The tag is: misp-galaxy:malpedia="Aurora"
Aurora is also known as:
-
OneKeyLocker
Links |
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf |
https://twitter.com/malwrhunterteam/status/1001461507513880576 |
Aurora Stealer
First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.
The tag is: misp-galaxy:malpedia="Aurora Stealer"
Aurora Stealer is also known as:
Avaddon
Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.
The tag is: misp-galaxy:malpedia="Avaddon"
Avaddon is also known as:
AvastDisabler
The tag is: misp-galaxy:malpedia="AvastDisabler"
AvastDisabler is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler |
https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/ |
AVCrypt
Bleeping Computer notes about discovery of AVCrypt, a malware that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.
The tag is: misp-galaxy:malpedia="AVCrypt"
AVCrypt is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt |
https://twitter.com/malwrhunterteam/status/976925447043846145 |
AvD Crypto Stealer
Cyble Research discovered this .Net written malware dubbed "AvD Crypto Stealer". The name of this malware is misleading, because this is a kind of clipper malware. Assumption of Cyble is, that this malware could target other threat actors as scenario.
The tag is: misp-galaxy:malpedia="AvD Crypto Stealer"
AvD Crypto Stealer is also known as:
Links |
https://blog.cyble.com/2022/03/22/hunters-become-the-hunted/ |
Aveo
The tag is: misp-galaxy:malpedia="Aveo"
Aveo is also known as:
Links |
https://www.secureworks.com/research/threat-profiles/bronze-overbrook |
Ave Maria
Information stealer which uses AutoIT for wrapping.
The tag is: misp-galaxy:malpedia="Ave Maria"
Ave Maria is also known as:
-
AVE_MARIA
-
AveMariaRAT
-
Warzone RAT
-
WarzoneRAT
-
avemaria
AvosLocker
AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.
In March 2022, the FBI and US Treasury Department issued a warning about the attacks.
The tag is: misp-galaxy:malpedia="AvosLocker"
AvosLocker is also known as:
Unidentified 061 (Windows)
Was previously wrongly tagged as PoweliksDropper, now looking for additional context.
The tag is: misp-galaxy:malpedia="Unidentified 061 (Windows)"
Unidentified 061 (Windows) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon |
Avzhan
The tag is: misp-galaxy:malpedia="Avzhan"
Avzhan is also known as:
Links |
AXLocker
The tag is: misp-galaxy:malpedia="AXLocker"
AXLocker is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.axlocker |
Ayegent
The tag is: misp-galaxy:malpedia="Ayegent"
Ayegent is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent |
Aytoke
Keylogger.
The tag is: misp-galaxy:malpedia="Aytoke"
Aytoke is also known as:
Links |
Azorult
AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
The tag is: misp-galaxy:malpedia="Azorult"
Azorult is also known as:
-
PuffStealer
-
Rultazo
Azov Wiper
According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.
The tag is: misp-galaxy:malpedia="Azov Wiper"
Azov Wiper is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper |
https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper |
Babadeda
According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.
The tag is: misp-galaxy:malpedia="Babadeda"
Babadeda is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda |
https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities |
Babar
The tag is: misp-galaxy:malpedia="Babar"
Babar is also known as:
-
SNOWBALL
Babuk (Windows)
Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.
The tag is: misp-galaxy:malpedia="Babuk (Windows)"
Babuk (Windows) is also known as:
-
Babyk
-
Vasa Locker
BabyLon RAT
The tag is: misp-galaxy:malpedia="BabyLon RAT"
BabyLon RAT is also known as:
BABYMETAL
BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.
The tag is: misp-galaxy:malpedia="BABYMETAL"
BABYMETAL is also known as:
BabyShark
BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator
The tag is: misp-galaxy:malpedia="BabyShark"
BabyShark is also known as:
-
LATEOP
Bachosens
The tag is: misp-galaxy:malpedia="Bachosens"
Bachosens is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens |
https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a |
BACKBEND
FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.
The tag is: misp-galaxy:malpedia="BACKBEND"
BACKBEND is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend |
BackConfig
The tag is: misp-galaxy:malpedia="BackConfig"
BackConfig is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig |
https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/ |
BackNet
The tag is: misp-galaxy:malpedia="BackNet"
BackNet is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet |
Backoff POS
The tag is: misp-galaxy:malpedia="Backoff POS"
Backoff POS is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff |
https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/ |
backspace
The tag is: misp-galaxy:malpedia="backspace"
backspace is also known as:
-
Lecna
-
ZRLnk
BackSwap
The tag is: misp-galaxy:malpedia="BackSwap"
BackSwap is also known as:
BADCALL (Windows)
The tag is: misp-galaxy:malpedia="BADCALL (Windows)"
BADCALL (Windows) is also known as:
BadEncript
The tag is: misp-galaxy:malpedia="BadEncript"
BadEncript is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript |
https://twitter.com/PhysicalDrive0/status/833067081981710336 |
badflick
BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.
The tag is: misp-galaxy:malpedia="badflick"
badflick is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick |
BADHATCH
The tag is: misp-galaxy:malpedia="BADHATCH"
BADHATCH is also known as:
BadNews
The tag is: misp-galaxy:malpedia="BadNews"
BadNews is also known as:
Bagle
The tag is: misp-galaxy:malpedia="Bagle"
Bagle is also known as:
Links |
https://archive.f-secure.com/weblog/archives/carrera_erdelyi_VB2004.pdf |
Bahamut (Windows)
The tag is: misp-galaxy:malpedia="Bahamut (Windows)"
Bahamut (Windows) is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut |
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/ |
Baldr
The tag is: misp-galaxy:malpedia="Baldr"
Baldr is also known as:
-
Baldir
BalkanDoor
According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.
The tag is: misp-galaxy:malpedia="BalkanDoor"
BalkanDoor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door |
https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/ |
BalkanRAT
The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250).
The tag is: misp-galaxy:malpedia="BalkanRAT"
BalkanRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat |
https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/ |
Bamital
The tag is: misp-galaxy:malpedia="Bamital"
Bamital is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital |
https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/ |
Banatrix
The tag is: misp-galaxy:malpedia="Banatrix"
Banatrix is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix |
https://www.cert.pl/en/news/single/banatrix-an-indepth-look/ |
bancos
The tag is: misp-galaxy:malpedia="bancos"
bancos is also known as:
Bandit Stealer
The tag is: misp-galaxy:malpedia="Bandit Stealer"
Bandit Stealer is also known as:
Bandook
Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.
The tag is: misp-galaxy:malpedia="Bandook"
Bandook is also known as:
-
Bandok
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook |