Skip to content

Hide Navigation Hide TOC

Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 1
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3