Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. (Citation: Validin Contagious Interview North Korea ClickFix January 2025)(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Written Content - T1683.001 (6a6f9892-c46a-46db-b331-c09a99200fcf)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	1
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Library - T1204.005 (73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	1
Search Threat Vendor Data - T1681 (63b24abc-5702-4745-b1e4-ac70b20a43f2)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Audio-Visual Content - T1683.002 (8f452cb4-cbf4-4522-8b11-448787be95c4)	Attack Pattern	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	1
Contagious Interview - G1052 (46599a4a-77ee-4697-9474-2683b6464859)	Intrusion Set	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	1
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e)	Attack Pattern	2
Written Content - T1683.001 (6a6f9892-c46a-46db-b331-c09a99200fcf)	Attack Pattern	Generate Content - T1683 (b512fb8a-18dd-4bfc-bbad-acbaaeb7dde3)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022)	Attack Pattern	2
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Social Engineering - T1684 (41e4d77a-6275-4976-9e35-785985598519)	Attack Pattern	Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be)	Attack Pattern	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
XORIndex Loader - S1248 (fedd9fcd-1f9c-4be0-9d84-f31e88eb6664)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
HexEval Loader - S1249 (3d7048f1-012e-468c-a18b-1bf98037d62c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	2
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Library - T1204.005 (73b24a10-6bf4-4af1-a81e-67b8bcb6c4e6)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Selective Exclusion - T1679 (9b00925a-7c4b-4e53-bfc8-9a6a806fde03)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
InvisibleFerret - S1245 (1dac60f2-7d53-4a3e-95d1-cb2e875d5491)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Log Enumeration - T1654 (866d0d6d-02c6-42bd-aa2f-02907fdc0969)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	BeaverTail - S1246 (6055aee2-d1c6-4877-94e9-a3bde9936470)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Generate Content - T1683 (b512fb8a-18dd-4bfc-bbad-acbaaeb7dde3)	Attack Pattern	Audio-Visual Content - T1683.002 (8f452cb4-cbf4-4522-8b11-448787be95c4)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	2
Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	3
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3