Skip to content

Hide Navigation Hide TOC

Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 1
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00) Attack Pattern Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware 2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313) Malware Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 3
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e) Attack Pattern 3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia 3
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 3
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 3
Databases - T1213.006 (248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 3