Hide Navigation Hide TOC

Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. (Citation: Validin Contagious Interview North Korea ClickFix January 2025)(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Search Threat Vendor Data - T1681 (63b24abc-5702-4745-b1e4-ac70b20a43f2)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Library - T1204.005 (73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022)	Attack Pattern	2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Library - T1204.005 (73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6)	Attack Pattern	2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Selective Exclusion - T1679 (9b00925a-7c4b-4e53-bfc8-9a6a806fde03)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	3
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	3