Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Tropic Trooper - G0081 (56319646-eb6e-41fc-ae53-aadfa7adb924)	Intrusion Set	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	2
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Exfiltration Over Physical Medium - T1052 (e6415f09-df0e-48de-9aba-928c902b7549)	Attack Pattern	Exfiltration over USB - T1052.001 (a3e1e6c5-9c74-4fc0-a16c-a9d228c17829)	Attack Pattern	2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	2
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	2
ShadowPad - S0596 (ec9e00dd-0313-4d5b-8105-c20aa47abffc)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
KeyBoy - S0387 (5dd649c0-bca4-488b-bd85-b180474ec62e)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	2
YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	YAHOYAH - S0388 (cb444a16-3ea5-4a91-88c6-f329adcb8af3)	Malware	2
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	USBferry - S0452 (75bba379-4ba1-467e-8c60-ec2b269ee984)	Malware	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	3
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	4
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	5
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	5