Skip to content

Hide Navigation Hide TOC

Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3)

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set XSL Script Processing - T1220 (ebbe170d-aa74-4946-8511-9921243415a3) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 1
Higaisa - G0126 (54dfec3e-6464-4f74-9d69-b7c817b7e5a3) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 2
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 3