Hide Navigation Hide TOC

Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. (Citation: Validin Contagious Interview North Korea ClickFix January 2025)(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	1
Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	1
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	1
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Library - T1204.005 (73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Search Threat Vendor Data - T1681 (63b24abc-5702-4745-b1e4-ac70b20a43f2)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	2
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	2
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Library - T1204.005 (73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Selective Exclusion - T1679 (9b00925a-7c4b-4e53-bfc8-9a6a806fde03)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	3
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	3